Wednesday Tidbit: Replace SSL certificates on vCloud Connector using the Java Keytool

20150703 - VMwareA few days ago I decided to redeploy the vCloud Connector Server and Node to my lab. After performing the initial installation I set about replacing the default untrusted SSL certificates with genuine ones, only to receive an error.

Regardless of what I tried, when came to enable SSL I got the following message:

20160224 - 1

It would appear the GUI was having none of it. It was time to override it by dropping into the shell.

First I downloaded my Root and Issuing CA certificates from certificate authority, and then using SFTP I copied them to the vCloud Connector Server. These have to be in base64 format.

I then SSH’d to the vCC Server and logged in as admin. The default password is “vmware” (minus quotes), but I had obviously changed mine by this point. I then SU’d to root.

First I removed the existing certificate using:

/usr/java/latest/bin/keytool -delete -alias hcserver -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

Next I added my Root CA certificate to the keystore using (substitute text in bold accordingly):

/usr/java/default/bin/keytool -import -trustcacerts -alias RootCA -file RootCA.crt -keystore cacerts -storepass changeit

In the above example, the password changeit is hardcoded. I then did the same again with my Issuing CA certificate:

/usr/java/default/bin/keytool -import -trustcacerts -alias IssuingCA -file IssuingCA.crt -keystore cacerts -storepass changeit

Before installing a new certificate I first had to generate a new key using:

/usr/java/latest/bin/keytool -genkey -validity 3650 -keyalg RSA -keysize 2048 -alias hcserver -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

In the questions that followed, I set the first and last name to the FQDN of the vCloud Connector Server.

I then generated the certificate signing request (substitute text in bold accordingly):

/usr/java/latest/bin/keytool -certreq -alias hcserver -file /home/admin/hcserver.csr -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

Using SFTP I retrieved the CSR and submitted it to my certificate authority using:

certreq -submit -config "issuingca.mdb-lab.com\mdb-lab.com Issuing CA" -attrib "CertificateTemplate:VMwareSSL" hcserver.csr vCloudConnectorServer.crt

I then copied the issued certificate back to the vCloud Connector Server and imported it using (substitute text in bold accordingly):

/usr/java/latest/bin/keytool -import -alias hcserver -file /home/adminvCloudConnectorServer.crt -trustcacerts -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

If the certificate installed correctly you will receive:

Certificate reply was installed in keystore

I verified this using:

/usr/java/latest/bin/keytool -list -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

This gave me:

20160224 - 2
I then restarted the service:

/etc/rc.d/hcserver-tomcat restart

The last remaining step was to enable SSL on the admin page at:

https://<vCloud Connector Server FQDN:5480

And that’s all there is to it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s