vCO Appliance and SSL Certificates

The vCO team has a great post on issuing an SSL certificate for the Windows version of vCO here: I’ve recently been doing some work with the vCO virtual appliance and wanted to issue an SSL certificate for the appliance. The steps are nearly the same as Windows with some different paths. Here are the steps:

Verify the keystore has an existing entry.

/opt/vmo/jre/bin/keytool -list -keystore /opt/vmo/jre/lib/security/jssecacerts -storepass "dunesdunes"

You should see the default SSL certificate for dunes. We do not want this certificate so we’ll start by deleting it from the keystore:

/opt/vmo/jre/bin/keytool -delete -alias dunes -keystore /opt/vmo/jre/lib/security/jssecacerts -storepass "dunesdunes"

We now create a new key using our server name. I deal with certificates a lot, so I like to specify the full distinguished name from the command instead of typing the values at each prompt to cut down on the chance of errors (I just copy/paste the one line of text). Also, unlike the vcoteam post, I am going to specify a 2048 keysize (the default is 1024).

/opt/vmo/jre/bin/keytool -genkey -keyalg RSA -keysize 2048 -alias dunes -keystore /opt/vmo/jre/lib/security/jssecacerts -storepass "dunesdunes" -validity 3650 -dname "CN=vco-server.bwuch.local,OU=My Department,O=My Company,L=City,ST=State,C=XX,emailAddress=vmware-admin@bwuch.local"

Once we have the key with correct server name, we’ll create a certificate request we can send to a CA:

/opt/vmo/jre/bin/keytool -certreq -alias dunes -keypass "dunesdunes" -keystore /opt/vmo/jre/lib/security/jssecacerts -storepass "dunesdunes" -file /tmp/vcoCertRequest.csr

We’ll take the csr and submit it to our CA. We’ll want to obtain the DER encoded certificate and chain, then use a program like WinSCP to copy the file (named vcoCertificateChain.crt in this example) to the /tmp path. We can then import the new certificate into the keystore:

/opt/vmo/jre/bin/keytool -importcert -alias dunes -keypass "dunesdunes" -file /tmp/vcoCertificateChain.crt -keystore /opt/vmo/jre/lib/security/jssecacerts -storepass "dunesdunes"

As a practice, I like to make a backup of the certificate for safe keeping. If I ever need to rebuild the appliance, I’ll be able to import my existing certificate without the need to issue a new version. You can do the same with the following command:

/opt/vmo/jre/bin/keytool -exportcert -alias dunes -keystore /opt/vmo/jre/lib/security/jssecacerts -storepass "dunesdunes" -file /tmp/vcoExportCert

You’ll want to copy the vcoExportCert file to a very secure location for safe keeping. You can either restart the vCO Server Service and the Configuration Server Service for the change to take effect — or do what I did and just reboot the virtual appliance.

This entry was posted in Virtualization. Bookmark the permalink.

Leave a Reply

Your email address will not be published.


Notify me of followup comments via e-mail. You can also subscribe without commenting.