Configuring CA signed certificates for vCloud Director

I’ve seen a lot of questions around configuring CA signed certificates with vCloud director and how to avoid those “Cryptographic Errors” when starting the vCloud director service. In this post I hope to go through the configuration and setup vCloud director to use CA signed certificates.

Before we get into the details some information about the environment. I have an Intermediate certificate server and a Root certificate server, we will be issuing certificates from the intermediate certificate server but will require the complete chain to be imported in the vCloud director keystore.

Using keytool we will create the keystore and generate the CSR’s. Its recommended to use the keytool shipped with vCloud Director which is located at /opt/vmware/vcloud-director/jre/bin/keytool.

1. Create the keystore and generate a certificate for the http service

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -genkey -keyalg RSA -dname “CN=nebula1.area88, OU=Cloud, O=VMware, L=BNG, ST=KAR, C=IN” -alias http

2. Create the certificate signing request file for the http service

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -certreq -alias http -file http.csr

3. Generate a certificate for the console proxy service

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -genkey -keyalg RSA -dname “CN=nebula1.area88, OU=Cloud, O=VMware, L=BNG, ST=KAR, C=IN” -alias consoleproxy

4. Create the certificate signing request for the console proxy service

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -certreq -alias consoleproxy -file consoleproxy.cer

There should now be 2 CSR files created for the http and console proxy service that needs to be submitted to the CA. You can copy the contents of the CSR file by running ‘cat’ on the file.

5. On the Intermediate certificate server or the Root Certificate server navigate to the Web enrollment page, http://hostname/certsrv . Select Request a New certificate, choose the Advanced certificate request and select Submit a certificate request by using a base-64 encoded CMC or PKCS.

6. Paste the contents of the http CSR file in the Saved Request field. Select WebServer for the certificate template and click submit.

Screen Shot 2014-02-25 at 3.51.16 PM

7. Select DER encoded and Download the certificate

8. Repeat steps 6 & 7 for the console proxy CSR

9. With the certificates for http and console proxy generated we also need the root certificate and the intermediate certificate. From the Web Enrollment page download the root certificate and the intermediate certificate

Screen Shot 2014-02-25 at 3.52.04 PM

10. Now that we have the certificate chain we need to import the complete chain into the keystore.

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -import -alias root -file rootca.cer

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -import -alias intermediate -file interca.cer

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -import -alias http -file http.cer

/opt/vmware/vcloud-director/jre/bin/keytool -keystore /opt/vmware/vcloud-director/etc/certificates.ks -storetype JCEKS -storepass vmware123 -import -alias consoleproxy -file consoleproxy.cer

11. We can verify that we have all the certificates imported into the keystore using the below command. You can also validate the thumbprint for each certificate from the keystore with the downloaded certificate

Screen Shot 2014-02-25 at 3.56.04 PM

12. Run the vcloud director configure script and provide the path to the keystore file


13. Access the vCloud Director web page and notice that the certificate should be trusted.


Michael Webster has already made a blog post on configuring CA signed certificates for vShield Manager which you can find here

I hope this blog post is useful and helps overcome the certificate pain that we run into. Thank you for reading.

Hello world!

Welcome to Virtual Chronicles. I’ve started this blog with the intent of sharing information with the community and to also chronicle my experiences in Information Technology. This blog will primarily focus on Virtualization (VMware) technologies but I would also like to expand into other areas of interest, Linux, networking, performance tuning …

I’m hopeful 🙂 that I would blog regularly with some good content. Cheers!