Using Wildcard Certificates in vCloud Director

A few months back, I did a vCloud implementation and one of the requirements is to use a signed wildcard certificate to replace the default self signed certs. In my case, I received a CA-signed certificate from the customer. We will call the certificate certificate.pfx

Here are the procedures that I did to import the wildcard certificate (We will use both openssl and keytool commands):

1. Convert pfx to pem: openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes

2. Obtain the private key from certificate.cer (cut and paste the private key to a new file, name it wildcard.key)

3. Use the following command to recreate the pfx and set alias (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name http –passout pass:password -out http.pfx

4. Use the same certificate and key to create the consoleproxy pfx (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name consoleproxy -passout pass:password -out consoleproxy.pfx

5. Import the 2 PKCS12 keystore into Java keystore using keytool:

./keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 –destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password –srcalias http -destalias http -srcstorepass password
./keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks – deststoretype JCEKS -deststorepass password –srcalias consoleproxy -destalias consoleproxy -srcstorepass password

6. Import the root certificate to the same keystore:
/keytool -importcert -alias root -file DigiCertHighAssuranceEVRootCA.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

7. Import the Intermediate certificate to the same keystore:
./keytool -importcert -alias intermediate -file DigiCertHighAssuranceCA-3.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

8. Verify the CERTIFICATES.ks keystore:
./keytool -list -keystore CERTIFICATES.ks -storetype JCEKS -storepass password

9. Provide the necessary permission:
chown vcloud:vcloud /opt/vmware/vcloud-director/jre/bin/CERTIFICATES.ks

10. Stop the VCD service: service vmware-vcd stop

11. Run the configure command: /opt/vmware/vcloud-director/bin/configure

12. When prompted for the certificate, point to the following: /opt/vmware/vclouddirector/jre/bin/CERTIFICATES.ks

13. When prompted to start the cell, press y and Enter

That should be it! You can now use the wildcard certificate for both the http and console proxy connections. Hope someone finds it useful 🙂


5 thoughts on “Using Wildcard Certificates in vCloud Director

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s