Scenario: I wanted to import a RapidSSL certificate I had originally bought for a UNIX/Apache into vCloud Director 5.x
Here are the steps for getting an X509 certificate into a JCEKS keystore.
1) First of all we have to convert the crt and private key into a .p12 format. As vCloud director requires both a http and consoleproxy certificate I have to do this twice
openssl pkcs12 -export -in jordansphere-co-uk.crt -inkey jordansphere-co-uk.key -out http.p12 -name http -CAfile rapidssl-intermediate2014.crt -caname root openssl pkcs12 -export -in jordansphere-co-uk.crt -inkey jordansphere-co-uk.key -out consoleproxy.p12 -name consoleproxy -CAfile rapidssl-intermediate2014.crt -caname root
2) Then we need to import the .p12 files into a keystore
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -destkeystore test.ks -srckeystore http.p12 -srcstoretype PKCS12 -srcstorepass {password} -alias http /opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -destkeystore test.ks -srckeystore consoleproxy.p12 -srcstoretype PKCS12 -srcstorepass {password} -alias consoleproxy
Note: Ensure you use the keytool supplied with vCloud Director so the correct version of Java is required
3) Once complete check the status of the keystore:
/opt/vmware/vcloud-director/jre/bin/keytool -keystore test.ks -storetype JCEKS -storepass {password} -list
This should show an entry of http and consoleproxy and be listed as PrivateKeyEntry. If this is not the case then there is a problem
4) Ensure the root and intermediate certificates are also present by running this command:
/opt/vmware/vcloud-director/jre/bin/keytool -keystore test.ks -storetype JCEKS -storepass {password} -list -v
Place the keystore in a relevant place and then reconfigure vCloud Director by using this KB from VMwares official website: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2014237