This is a run through what I did to update an expiring certificate in vCloud Director 8.20 to a wildcard certificate.
On the pre-req’s below a wise leader of mine in the past advised to get all your ducks in a row before starting, get your list of variables and make it easy on yourself and once you have all the correct certs, commands etc, its just a matter of copying and pasting into the vCD cells.
Firsttime of course was nervous but 2nd & 3rd was a quick 20min job.
Some vCD 8.20 guides here & a good VMware KB article 2021877 for reference here also.
Pre-requisites
Prior to starting you must have the below listed certificate types and keys.
VARIABLES
$WILDCERT = star_url_com.crt
$WILDKEY = wildcard_url_com.key
$KEYSTORE = /opt/vmware/vcloud-director/jre/CERTIFICATES.ks
$ROOTCERT = /opt/vmware/vcloud-director/jre/ROOT-TrustedRoot.crt
$INTCERT = /opt/vmware/vcloud-director/jre/INT-CertCA.crt
$HTTPOUTPUT = /opt/vmware/vcloud-director/jre/http.pfx
$CONSOLEOUTPUT = /opt/vmware/vcloud-director/jre/consoleproxy.pfx
$STOREPASS = password you are going to use
!!! PRE REQ IF NEEDED !!!
**/ Converting a cert to PFX
openssl pkcs12 -export -in $WILDCERT -inkey $WILDKEY -name http -passout pass:password -out $HTTPOUTPUT
openssl pkcs12 -export -in $WILDCERT -inkey $WILDKEY -name consoleproxy -passout pass:password -out $CONSOLEOUTPUT
!!! CERTIFICATE IMPORT !!!
**/ IMPORT CHAIN ( ROOT & INT)
/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass $STOREPASS -keystore $KEYSTORE -import -alias root -file $ROOTCERT
Type Yes
/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass $STOREPASS -keystore $KEYSTORE -import -alias intermediate -file $INTCERT
**/ IMPORT HTTP CERT to KEYSTORE
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore $HTTPOUTPUT -srcstoretype PKCS12 -destkeystore $KEYSTORE -deststoretype JCEKS -deststorepass $STOREPASS -srcalias http -destalias http -srcstorepass $STOREPASS
**/ IMPORT CONSOLE CERT to KEYSTORE
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -srckeystore $CONSOLEOUTPUT -srcstoretype PKCS12 -destkeystore $KEYSTORE -deststoretype JCEKS -deststorepass $STOREPASS -srcalias consoleproxy -destalias consoleproxy -srcstorepass $STOREPASS
AT THIS POINT THE KEYSTORE CONTAINS the HTTP, CONSOLE , INT and ROOT Certs
!!!KEYSTORE VALIDATION!!!
keytool -list -v -storetype JCEKS -keystore /opt/vmware/vcloud-director/jre/CERTIFICATES.ks
!!!VCLOUD CHANGE!!!
**/ Changes vCloud to use NEW Certificates from KEYSTORE
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p -k $KEYSTORE -w $STOREPASS
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -k $KEYSTORE -w $STOREPASS
**/ Restart service to apply certificates
service vmware-vcd restart
**/ Monitor Restarting service
tail -f /opt/vmware/vcloud-director/logs/cell.log
!!!VALIDATION!!!
**/ Check the Status after Changing Certificates (this may be depreciated as it does not show the current CERTIFICATE.KS – needs to be confirmed.)
cat /opt/vmware/vcloud-director/etc/global.properties
— user.keystore.path should equal $KEYSTORE
Within vCloud Director – Administration – Public Addresses
Update here with your new URL. And also in the tenant and web console portal.
You should get a security prompt as new cert/url being used.
If you open a console to a VM within vCloud you should see the new url in the console window.
!!!CLEANUP!!!
Delete all files that were uploaded & generated except for the keystore.
