Importing Existing Wildcard Certificate into vCloud Director Keystore

Scenario: I wanted to import a RapidSSL certificate I had originally bought for a UNIX/Apache into vCloud Director 5.x


Here are the steps for getting an X509 certificate into a JCEKS keystore.

1) First of all we have to convert the crt and private key into a .p12 format. As vCloud director requires both a http and consoleproxy certificate I have to do this twice

openssl pkcs12 -export -in jordansphere-co-uk.crt -inkey jordansphere-co-uk.key -out http.p12 -name http -CAfile rapidssl-intermediate2014.crt -caname root
openssl pkcs12 -export -in jordansphere-co-uk.crt -inkey jordansphere-co-uk.key -out consoleproxy.p12 -name consoleproxy -CAfile rapidssl-intermediate2014.crt -caname root

2) Then we need to import the .p12 files into a keystore

/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -destkeystore test.ks -srckeystore http.p12 -srcstoretype PKCS12 -srcstorepass {password} -alias http
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -destkeystore test.ks -srckeystore consoleproxy.p12 -srcstoretype PKCS12 -srcstorepass {password} -alias consoleproxy

Note: Ensure you use the keytool supplied with vCloud Director so the correct version of Java is required


3) Once complete check the status of the keystore:

/opt/vmware/vcloud-director/jre/bin/keytool -keystore test.ks -storetype JCEKS -storepass {password} -list

This should show an entry of http and consoleproxy and be listed as PrivateKeyEntry. If this is not the case then there is a problem


4) Ensure the root and intermediate certificates are also present by running this command:

/opt/vmware/vcloud-director/jre/bin/keytool -keystore test.ks -storetype JCEKS -storepass {password} -list -v


Place the keystore in a relevant place and then reconfigure vCloud Director by using this KB from VMwares official website:

Posted in SSL