vCenter Mobile Access (vCMA) and custom SSL certificates

If you haven’t heard of the vCMA Fling, you should stop reading this article and check out http://labs.vmware.com/flings. It is by far my favorite application available.

I like to use valid certificates on all VMware products. I’ve replaced certificates used by vCenter, Update Manager, View and individual ESX/ESXi hosts. Today I started using the newest version of vCMA (vCenter Mobile Access) that has built in SSL support — but uses a generic certificate. I decided to find out how much effort would be required to replace this cert with a valid certificate issued from a certificate authority.

I found the following article that helped a lot. You’ll need everything on page 2 and 3 of the document: http://www.informit.com/articles/article.aspx?p=407886&seqNum=2

The first step was to find the keytool required. A simple “find /|grep keytool” showed me right where the command was, so I changed to that directory:

cd /usr/lib/vmware/mobile/java/jre1.6.0_11/bin

Once in the proper directory, I decided to create a new key file (using the steps in the above article)

./keytool -genkey -alias mobile-vmware -keyalg RSA -keysize 2048 -dname "CN=vcma.domain.test,OU=Organization Name,O=Parent Organization,L=City,ST=State,C=US,emailAddress=vmware-admin@domain.test" -keypass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

Easy enough. Now we need to create a certificate request

./keytool -certreq -v -alias mobile-vmware -file /etc/mobile/ssl/csr-mobile-vmware.pem -keypass mypass -storepass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks

The command returns the following information if successful
Certification request stored in file
Submit this to your CA

Take the contents of the generated file and submit them to your certificate authority. Once the file is returned, copy it to /etc/mobile/ssl (I used WinSCP for this task). Another file you’ll need to transfer at this time is the CA certificate (Verisign/internal/etc).

Once you have the two files copied over to the vCMA appliance, you’ll want to prepare your keystore to accept the certificate by importing the CA’s certificate. You can do that with this command:

./keytool -import -v -noprompt -trustcacerts -alias rootcacert -file /etc/mobile/ssl/rootca-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

The following results should be returned from that command:
Certificate was added to keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Now we are ready to import our actual certificate:

./keytool -import -v -alias mobile-vmware -file /etc/mobile/ssl/mobile-vmware-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -keypass mypass -storepass mypass

The following results should be returned from that command:
Certificate reply was installed in keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Almost at the end now…

We need a text editor, so I went the easy way and installed one I know how to use. You can do the same with “yum install nano”.

nano /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.28/conf/server.xml

Look through the code for a line that starts

<Connector port="443" protocol="HTTP/1.1"

  In that section you’ll want to change the keystore file to “/etc/mobile/ssl/mobile-vmware.jks” and the keystorepass to “mypass”.

Once the code is modified, save the file and exit nano. Now type the following:

service mobile restart

This restarts the vCMA application to read in the certificate changes we made. Now when you access vCMA you should check the certificate — it should be the valid one you created.

7 comments

  1. Matt says:

    Awesome write up. Worked great, thanks!

  2. Mike says:

    trying this exact same process with a wildcard cert and no such luck, do you have any advice?

  3. yep . . . .its quit authentic post,and so good executed,you have provided good links.you posted such great for techs,I’ll wait for further posts.

  4. Chris Fox says:

    I have followed all of these procedures, and of course, as usual with SSL it’s not working for me. I can’t even connect to the site at all, it just says page can’t display. Can anyone help? I thought it was because I was trying to merge a PFX in, so I bought a whole new non-wildcard cert and it still doesn’t work. Someone please help!

  5. Luca says:

    Great work man, works like a charm! Thank you very much.

  6. Mike R says:

    I have run through the instructions above and whilst I can follow them I am getting a similar issue as Chris Fox above. Fortunately I have snapshots so I get revert back easily.
    My CA (Comodo) provides 3 certificates. One root, one intermediate and the required certificate.
    I have tried all various permutations including importing all certificates into the keystore as well as just the root and intermediate. I have consulted and followed Comodo steps as well re

    https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1204

    The appliance is working fine until I follow the steps and restart the service then it just reports it cannot access the page. This page seems to be the only one on the Internet that describes the steps for the appliance. I have been working on this for some time so if some could help then it would be much appreciated!

  7. hot korean says:

    Way cool! Some very valid points! I appreciate you writing this article and also the rest of the website is extremely good.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

Notify me of followup comments via e-mail. You can also subscribe without commenting.