In some cases, you need to upload certificates from the command line.

The vCloud Connector server and vCloud Connector node Admin Web consoles support uploading only a single root, intermediate, and signed certificate. To upload multiple root or intermediate certificates, use the command line interface.

Also use the command line interface if you need to upload fewer than three certificates as the UI requires you to upload all three certificates. Some Certificate Authorities only issue two certificates.

Certificates must be in the X.509 format.

You must import certificates in the following order: root certificate, intermediate certificate, then signed certificate.

Note

If you obtain certificates from a Windows Server 2008 Certificate Authority, ensure that you select the Subordinate Certificate Authority template type while requesting the certificate.

You have obtained the certificates and have copied them to a directory in the vCloud Connector server or node.

1

Log in to the console of the vCloud Connector server or vCloud Connector node as admin.

The default password is vmware.

2

If the certificates that you obtained from your Certificate Authority are not in the X.509 format, convert them to the X.509 format.

openssl pkcs7 -in <path/../certificate.cer> -print_certs | openssl x509 > <path/../certificate.cer>

Note

If the certificate is already in the X.509 format, you might get an error.

3

At the prompt, change directory.

cd /usr/local/tcserver/vfabric-tc-server-standard/server_or_agent/conf

4

Import the root certificate.

/usr/java/default/bin/keytool -import -trustcacerts -alias root -file <location of root .cer file> -keystore tcserver.jks -storepass changeme

5

Import intermediate certificates. Ensure that you import multiple intermediate certificates in an order of signing chain.

/usr/java/default/bin/keytool -import -trustcacerts -alias intermediate -file <location of intermediate .cer file> -keystore tcserver.jks -storepass changeme

Note

You must provide a unique alias name for every intermediate certificate you upload.

6

Import the signed certificate.

/usr/java/default/bin/keytool -import -trustcacerts -alias hcserver_or_hcagent -file <location of .cer file> -keystore tcserver.jks -storepass changeme

7

Enable SSL.

a

Go to the server or node Admin Web console at https://vCCServer_or_Node_IPaddress:5480.

b

Log in as admin.

The default password is vmware.

c

For the server, click the Server tab, then click the SSL tab. For the node, click the Node tab, then click the SSL tab.

d

Click Enable SSL.

Note

You can ignore the following message: "vCloud Connector server hostname does not match CN in SSL certificate."

After you install valid certificates, you must do the following.

Deselect the Ignore SSL Certificate flag for each node for which you installed a valid certificate and update the node's registration with the vCloud Connector server.

a

Go to the vCloud Connector server Admin Web console at https://vCCServerIPaddress:5480.

b

Log in as admin. The default password is vmware.

c

Click the Nodes tab.

d

Click the gears icon next to the node and select Edit.

e

Deselect Ignore SSL Certificate, then click Update.

See also Register vCloud Connector Nodes with vCloud Connector Server.

Restart the vCloud Connector server after uploading new certificates for the change to take effect.