A few months back, I did a vCloud implementation and one of the requirements is to use a signed wildcard certificate to replace the default self signed certs. In my case, I received a CA-signed certificate from the customer. We will call the certificate certificate.pfx
Here are the procedures that I did to import the wildcard certificate (We will use both openssl and keytool commands):
1. Convert pfx to pem: openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes
2. Obtain the private key from certificate.cer (cut and paste the private key to a new file, name it wildcard.key)
3. Use the following command to recreate the pfx and set alias (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name http –passout pass:password -out http.pfx
4. Use the same certificate and key to create the consoleproxy pfx (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name consoleproxy -passout pass:password -out consoleproxy.pfx
5. Import the 2 PKCS12 keystore into Java keystore using keytool:
./keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 –destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password –srcalias http -destalias http -srcstorepass password
./keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks – deststoretype JCEKS -deststorepass password –srcalias consoleproxy -destalias consoleproxy -srcstorepass password
6. Import the root certificate to the same keystore:
/keytool -importcert -alias root -file DigiCertHighAssuranceEVRootCA.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password
7. Import the Intermediate certificate to the same keystore:
./keytool -importcert -alias intermediate -file DigiCertHighAssuranceCA-3.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password
8. Verify the CERTIFICATES.ks keystore:
./keytool -list -keystore CERTIFICATES.ks -storetype JCEKS -storepass password
9. Provide the necessary permission:
chown vcloud:vcloud /opt/vmware/vcloud-director/jre/bin/CERTIFICATES.ks
10. Stop the VCD service: service vmware-vcd stop
11. Run the configure command: /opt/vmware/vcloud-director/bin/configure
12. When prompted for the certificate, point to the following: /opt/vmware/vclouddirector/jre/bin/CERTIFICATES.ks
13. When prompted to start the cell, press y and Enter
That should be it! You can now use the wildcard certificate for both the http and console proxy connections. Hope someone finds it useful 🙂