Importing wildcard signed SSL certificates into VMware vCloud Director
search cancel

Importing wildcard signed SSL certificates into VMware vCloud Director


Article ID: 325579


Updated On:


VMware Cloud Director


This article provides procedures to import a wildcard certificate to VMware vCloud Director (vCD).


VMware Cloud Director 5.5.x


You must have the private certificate.key file for the wildcard certificate and the signed DOMAIN.crt file from the certificate signing authority. The Signing Request.csr file is not necessary.
To import wildcard signed SSL certificates into vCloud Director, you must convert the certificate to a PKCS12 file and then update the vCloud Director cell.
    To convert the file using openssl:
    1. Run this command:

      openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
    2. Use WinSCP or scp to upload the DOMAIN.pfx file to the vCloud Director cell.
    3. Connect to the vCD cell using SSH or putty.
    4. Change directory to /opt/vmware/vcloud-director/jre/bin using this command:

      cd /opt/vmware/vcloud-director/jre/bin
    5. Run this command to import the first combined key and cert file to the keystore file:

      ./keytool -trustcacerts -storetype JCEKS -importkeystore -srckeystore DOMAIN.pfx -destkeystore certificates.ks -srcstoretype pkcs12 -storepass PASSWORD

      Note: If the .pfx file does not contain the password you will be prompted for the .pfx password after executing the command.
    6. Obtain the alias name by listing the contents within the keystore:

      ./keytool -keystore certificates.ks -storetype JCEKS –list

      For example:

      1, May 6th, 2012, PrivateKeyEntry,
      Certificate fingerprint (MD5):00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

      Note: In this sample, the alias is 1.
    7. Replace the alias using this command:

      ./keytool -storetype JCEKS -changealias -alias 1 -destalias http -keystore certificates.ks

      Note: If you want to use the same wildcard certificate for both http and consoleproxy, repeat Steps 5 to 7 and, in Step 7, replace http with consoleproxy.

    To update the vCloud Director cell service:

    1. Stop the vCloud Director cell service:

      service vmware-vcd stop
    2. Run the vCloud Director configuration script:


      • You need to provide the path to your certificates.ks keystore file
      • You must provide the keystore file password
    3. When the configuration script completes and prompts if you want to start the vCloud Director service immediately, enter [y].
    To verify if the certificate import is successful, navigate to the vCloud Director interface at https://DOMAINNAME and check if you get a properly protected site.