This article provides steps to successfully generate a Certificate Signing Request (CSR) to send to an Internal CA to issue a signed SSL Certificate for use with vCloud Usage Meter.

Symptoms:

• When you access the IP address or URL of the Usage Meter Appliance in Internet Explorer, you see the warning:
  
  There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website has expired or is not yet valid.
The security certificate presented by this website was issued for a different website's address.
   
• You see a similar warning when using FireFox or Chrome.

VMware vCloud Usage Meter 2.3.x
VMware vCloud Usage Meter 3.0.x

This issue occurs because the self-signed SSL Certificate has either expired or is not compliant with your environment as it has not been issued by a trusted certificate authority or has been issued for another web site URL.

vCloud Usage Meter requires a signed Certificate issued by a Certificate Authority (CA).

To resolve this issue, generate and install a compliant certificate:
 

Generating a Certificate Signing Request

To generate a Certificate Signing Request to send to an Internal CA to issue a signed SSL Certificate:
 

1. Log in to the vCloud Usage Meter appliance as root.
2. Stop Tomcat by running the command:
   
   # service tomcat stop
    
3. Add the keytool command directory on your path by running the command:
   
   # export PATH=$PATH:/usr/java/latest/bin
    
4. Verify that the keytool command is now on your $PATH by running the command:
   
   # which keytool /usr/java/latest/bin/keytool
    
5. Change directory to /home/usgmtr/ by running the command:
   
   # cd /home/usgmtr/
    
6. Backup the existing .keystore file by running the command:
   
   # cp .keystore .keystore.bak
    
7. Create a new key to be used to generate a new CSR (Certificate Signing request) by running the command:
   
   # keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore
   
   Notes:
    
   • The keystore password must be silverpen.
   • This must be the keystore in /home/usgmtr. There are multiple on the appliance, and the other keystores will not have the intended effect. 
   • If the command does not work or you receive the Key Pair already exists error message, delete the existing Tomcat alias from the keystore and re-run the previous genkey command:
     
     # keytool -delete -alias tomcat -keystore .keystore
8. Create the Certificate Signing Request (CSR) by running the command:
   
   # keytool -certreq -alias tomcat -keyalg RSA -file example.com.csr -keystore .keystore
   
   Note: Ensure the CN (Common Name) is either the FQDN or IP address of the Usage Meter server.

 

Obtaining the certificate

To generate a certificate on an Internal CA for use with vCloud Usage Meter:

Open the Certificate Signing Request (CSR) and copy the contents to the Internal CA, then obtain the signed public key, with the CA, in BASE64 .P7B format.

Example: Using the Microsoft Windows Certificate Authority
 

1. Using a web browser, go to:
   
   https://Internal_Certificate_Authority_URL/certsrv
    
2. Under Select a Task, click Request a Certificate.Click Advanced Certificate Request.
3. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
4. Open the Certificate Signing Request (CSR) file in a plain text editor and copy the contents into the Saved Request section, starting
   with:
   
   -----BEGIN CERTIFICATE REQUEST-----
   to
   -----END CERTIFICATE REQUEST-----.
    
5. Under Certificate Template, click Web Server then click Submit. You are shown the download options for the issued certificate.
6. Click Base 64 Encoded > Download certificate chain.
   
   The certificate to import into the Usage Meter appliance has been generated.

 

Importing the certificate

To import the certificate into the Usage Meter appliance:
 

1. Import the certificate into the keystore by running the command:
   
   # keytool -import -trustcacerts -alias tomcat -file certificate_from_ca.p7b -keystore .keystore
   
   You see this confirmation message:
   
   Certificate reply was installed in keystore.
   
   Note: If you are asked if you want to trust the certificate, type y or yes.
    
2. Assign ownership of the keystore to the usgmtr user by running the command:
   
   # chown usgmtr .keystore

1. Copy the new keystore by running the commands:
   
   # service tomcat stop
   # service vami-lighttp stop
   # cp /home/usgmtr/.keystore /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks.new
   
   Note: In vCloud Usage Meter 3.6.1 and later versions, you can find the .jks file in the following location:
   
   /usr/share/tomcat/conf/webserver_certificate.jks
    
2. Backup the existing keystore by running the command:
   
   # cp /usr/share/tomcat/conf/webserver_certificate.jks  /usr/share/tomcat/conf/webserver_certificate.jks.bac
   
   Note: In vCloud Usage Meter 3.5 and older versions, you can find the .jks file in the following location.
   /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks
3. Replace the existing keystore with the newly generated one by running the commands:
   
   # cp /usr/share/tomcat/conf/webserver_certificate.jks.new /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks
   # service tomcat start
   # service vami-lighttp start
4. Optionally, add an entry to the /etc/hosts file on the Usage Meter appliance for the Usage Meter FQDN which links to the IP address.
5. Verify that Tomcat is now running with new SSL certificate as issued by the internal CA by accessing https://Usage_Meter_appliance_IP:8443 in a web browser.
   
   Note: If the new SSL certificate is not shown, restart the Usage Meter appliance.