Category: vCloud Director

vCloud Director: How to Preserve Network settings when deploying from a template

Image Rommel Humarang, VCIX6-NV, VCAP5-DCD/DCA, vSAN Specialist 2017, AWS-CSA, VCP-Cloud, Linux+, Security+Leave a comment

I got an inquiry a few weeks ago on how to deploy a vAPP from a vAPP template that will preserve the preconfigured network settings. I knew this can be done so I fired up my lab and did a quick test. As I found out, this can be easily achieved when adding a vAPP […]

Using Wildcard Certificates in vCloud Director

Rommel Humarang, VCIX6-NV, VCAP5-DCD/DCA, vSAN Specialist 2017, AWS-CSA, VCP-Cloud, Linux+, Security+5 Comments

A few months back, I did a vCloud implementation and one of the requirements is to use a signed wildcard certificate to replace the default self signed certs. In my case, I received a CA-signed certificate from the customer. We will call the certificate certificate.pfx

Here are the procedures that I did to import the wildcard certificate (We will use both openssl and keytool commands):

1. Convert pfx to pem: openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes

2. Obtain the private key from certificate.cer (cut and paste the private key to a new file, name it wildcard.key)

3. Use the following command to recreate the pfx and set alias (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name http –passout pass:password -out http.pfx

4. Use the same certificate and key to create the consoleproxy pfx (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name consoleproxy -passout pass:password -out consoleproxy.pfx

5. Import the 2 PKCS12 keystore into Java keystore using keytool:

./keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 –destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password –srcalias http -destalias http -srcstorepass password
./keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks – deststoretype JCEKS -deststorepass password –srcalias consoleproxy -destalias consoleproxy -srcstorepass password

6. Import the root certificate to the same keystore:
/keytool -importcert -alias root -file DigiCertHighAssuranceEVRootCA.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

7. Import the Intermediate certificate to the same keystore:
./keytool -importcert -alias intermediate -file DigiCertHighAssuranceCA-3.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

8. Verify the CERTIFICATES.ks keystore:
./keytool -list -keystore CERTIFICATES.ks -storetype JCEKS -storepass password

9. Provide the necessary permission:
chown vcloud:vcloud /opt/vmware/vcloud-director/jre/bin/CERTIFICATES.ks

10. Stop the VCD service: service vmware-vcd stop

11. Run the configure command: /opt/vmware/vcloud-director/bin/configure

12. When prompted for the certificate, point to the following: /opt/vmware/vclouddirector/jre/bin/CERTIFICATES.ks

13. When prompted to start the cell, press y and Enter

That should be it! You can now use the wildcard certificate for both the http and console proxy connections. Hope someone finds it useful 🙂