Create New vCloud Director Certificates from PFX

Posted on by Jordansphere

Below are the steps to extract all the information required from a PFX file (CompleteCert.pfx) to update the certs in a keystore for Vcloud Director.

Note: In this example the CA has changed so i have changed the Intermediate and Root Certs.

The following steps are carried out from a Centos 7 vcloud director cell

CREATE PRIVATE KEY 

openssl pkcs12 -in CompleteCert.pfx -nocerts -out mj_key.pem -nodes

EXPORT CERTS

openssl pkcs12 -in CompleteCert.pfx -nokeys -out mj_cert.pem

WRITE OUT RSA KEY WITHOUT PASSWORD

openssl rsa -in mj_key.pem -out mj.key

EXPORT JUST CERTS

openssl pkcs12 -in CompleteCert.pfx -out mj_just_cert.crt -clcerts -nokeys

EXPORT CA CERTS
Extract the certs from mj_key.pem (mj_root.crt and mj_intermediate.crt) and place into mj_bundle.crt

Note: you can also get these from the CAs website.

EXPORT ALIAS

openssl pkcs12 -export -in mj_just_cert.crt -inkey mj.key -CAfile mj_bundle.crt -name http -out http.pfx -chain

openssl pkcs12 -export -in mj_just_cert.crt -inkey mj.key -CAfile mj_bundle.crt -name consoleproxy -out http.pfx -chain

DELETE OLD ENTRIES FROM KEYSTORE

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore mj_certs.ks -delete -alias intermediate

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore mj_certs.ks -delete -alias root

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore mj_certs.ks -delete -alias consoleproxy

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore mj_certs.ks -delete -alias http

CONFIRM KEYSTORE IS EMPTY

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -list -v -keystore mj_certs.ks

ADD NEW CRTS TO KEYSTORE

/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass [PASSWORD] -destkeystore mj_certs.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass [PASSWORD]

/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass [PASSWORD] -destkeystore mj_certs.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass [PASSWORD]

CONFIRM KEYSTORE HAS ENTRIES

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -list -v -keystore mj_certs.ks

ADD INTERMEDIATE AND ROOT CERTS

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore mj_certs.ks -importcert -alias root -file mj_root.crt

/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -keystore mj_certs.ks -importcert -alias intermediate -file mj_intermediate.crt