A few days ago I decided to redeploy the vCloud Connector Server and Node to my lab. After performing the initial installation I set about replacing the default untrusted SSL certificates with genuine ones, only to receive an error.
Regardless of what I tried, when came to enable SSL I got the following message:
It would appear the GUI was having none of it. It was time to override it by dropping into the shell.
First I downloaded my Root and Issuing CA certificates from certificate authority, and then using SFTP I copied them to the vCloud Connector Server. These have to be in base64 format.
I then SSH’d to the vCC Server and logged in as admin. The default password is “vmware” (minus quotes), but I had obviously changed mine by this point. I then SU’d to root.
First I removed the existing certificate using:
/usr/java/latest/bin/keytool -delete -alias hcserver -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme
Next I added my Root CA certificate to the keystore using (substitute text in bold accordingly):
/usr/java/default/bin/keytool -import -trustcacerts -alias RootCA -file RootCA.crt -keystore cacerts -storepass changeit
In the above example, the password changeit is hardcoded. I then did the same again with my Issuing CA certificate:
/usr/java/default/bin/keytool -import -trustcacerts -alias IssuingCA -file IssuingCA.crt -keystore cacerts -storepass changeit
Before installing a new certificate I first had to generate a new key using:
/usr/java/latest/bin/keytool -genkey -validity 3650 -keyalg RSA -keysize 2048 -alias hcserver -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme
In the questions that followed, I set the first and last name to the FQDN of the vCloud Connector Server.
I then generated the certificate signing request (substitute text in bold accordingly):
/usr/java/latest/bin/keytool -certreq -alias hcserver -file /home/admin/hcserver.csr -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme
Using SFTP I retrieved the CSR and submitted it to my certificate authority using:
certreq -submit -config "issuingca.mdb-lab.com\mdb-lab.com Issuing CA" -attrib "CertificateTemplate:VMwareSSL" hcserver.csr vCloudConnectorServer.crt
I then copied the issued certificate back to the vCloud Connector Server and imported it using (substitute text in bold accordingly):
/usr/java/latest/bin/keytool -import -alias hcserver -file /home/adminvCloudConnectorServer.crt -trustcacerts -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme
If the certificate installed correctly you will receive:
Certificate reply was installed in keystore
I verified this using:
/usr/java/latest/bin/keytool -list -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme
This gave me:
I then restarted the service:
/etc/rc.d/hcserver-tomcat restart
The last remaining step was to enable SSL on the admin page at:
https://<vCloud Connector Server FQDN:5480
And that’s all there is to it!