Home > Certification, SSL, VCAP > VCAP-CIA objective 5.1 – Manage vCloud Director SSL Certificates

VCAP-CIA objective 5.1 – Manage vCloud Director SSL Certificates

August 1st, 2013 Leave a comment Go to comments

The blueprint states the following skills needed to cover this objective.

  • Create and process certificate requests
  • Replace default certificates

SSL certificates are an absolute requirement for vCloud Director to work. You will need 2 different certificates, one for the vCloud Director Web Interface and one for the Console Proxy. There are 2 options for SSL certificates, self-signed and CA signed. The process to create the certificate requests and generate the certificates is described in the vCloud Director Installation and Upgrade Guide on pages 17 – 20 in the English version. There is also the following kb article describing the process in detail.

Generating SSL certificates for VMware vCloud Director
http://kb.vmware.com/kb/1026309

To create untrusted self-signed certificates simply run the following 2 commands on the vCD cell.

keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -alias http
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -alias consoleproxy

This generates the certificates which are valid for 90 days by default (use the -validity parameter to set a different value).

createssl1

You can list the contents of the keystore using the following command.

keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

You should expect to see both certificates in there.

createssl2

To actually replace the certificates now you can follow the guidelines in the English version of the vCloud Director Administrator’s Guide on page 16. It is basically a 3 step process.

  1. Stop the vCD cell
  2. Run the configuration script again
  3. Provide the path to the new keystore file and passwords for the keystore and certificates

createssl3

After a restart of the cell the new certificates should be loaded and accessible.

createssl4

The process to create CA signed certificates is slightly different. Instead of creating the certificate itself we are going to use the key tool to create requests which have to be handed over to a CA which will provide back the actual certificate files. These will be imported to a keystore again like the self-signed certificates. The procedure to actually replace the certificates for the cell stays the same.

The requests can be creating by using the following 2 commands.

keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –certreq -alias http -file http.csr
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq –alias consoleproxy -file consoleproxy.csr

You will need an existing certificates.ks keystore with self-signed certificates for the consoleproxy and http interface in it for these commands to work.

createssl5

Upload these files to your CA and request the certificates. You will need to get back the 2 requested certificates, the root certificate for the CA and any intermediate CA certs if they exist. These need to be imported into the keystore using the following commands.

keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias root -file root.cer
(optional) keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias intermediate -file intermediate.cer
keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias http -file http.cer
keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias consoleproxy -file consoleproxy.cer

When the complete chain is imported you should list the contents of the keystore to make sure everything is in there.

keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

createssl6

When everything is in place you can run the configure script as described above to actually replace the certificates. You should also import the root certificate into the trusted certificates store of the clients actually using vCloud Director to get rid of the security warnings.

createssl7

Categories: Certification, SSL, VCAP Tags:
  1. No comments yet.
  1. No trackbacks yet.