Friday, February 22, 2013

Replace vCloud Director Self Signed Certificates


Replace vCloud Director Self Signed Certificates


Assuming you have already created self signed certificates and you have a valid certificates.ks file the process is pretty simple and you actually have two options:
  1. Keep the certificate store intact to preserve the self signed certs
  2. use the same keystore to import signed certificates

Keep the original store intact and generate a whole new one:

  1. Stop the vCD Cell Services
  2. Move, Copy, or rename the current certificates.ks file
  3. cd /opt/vmware (This is where I recommend putting the keystore file)
  4. Perform all the steps located in the KB Article for creating new certificates
  5. Re-run the configuration script (Especially if you have CHANGED the location of the certificates.ks file), but this should also update the database connections.
  6. Start the vCD Cell Services
Keeping both a keystore with self signed and real signed certificates might be useful in situations where you want to test moving from one set of certificates to the other.

Use the original store to import the signed certificates:

  1. Stop the vCD Cell Services
  2. Perform ONLY CSR generation steps located in the KB Article and reference the existing keystore file and location
    1. I still recommend moving the keystore to /opt/vmware, but that is just me
    2. If you were not sure what directory you were in when you created it, which is a common mistake you can use this to locate it:
    3. # find / -name certificates.ks
/opt/vmware/certificates.ks
    1. There is no need to run the steps to create self signed certificates as they already exist
  1. Re-run the configuration script (Especially if you have CHANGED the location of the certificates.ks file), but this should also update the database connections.
  2. Start the vCD Cell Services
  3. This will maintain a single keystore file only
You can always check the contents of any keystore by running:
/opt/vmware/cloud-director/jre/bin/keytool –storetype JCEKS –storepass -keystore –list
You would then see an output like this:
consoleproxy, Feb 19, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 
http, Feb 19, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5):
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)