In some cases, you need to upload certificates from the command line.

The vCloud Connector server and vCloud Connector node Admin Web consoles support uploading only a single root, intermediate, and signed certificate. To upload multiple root or intermediate certificates, use the command line interface.

Certificates must be in the X.509 format.

You must import certificates in the following order: root certificate, intermediate certificate, then signed certificate.

Certificates are added to the /usr/local/tcserver/vfabric-tc-server-standard/agent_or_server/conf/tcserver.jks keystore.

When you add valid certificates and enable SSL for a node, you must also import the corresponding CA root certificate into the trusted keystore of the vCloud Connector server and all other vCloud Connector nodes. See Add CA Root Certificate to Trusted Keystore for information.

You have obtained the certificates and have copied them to a directory in the vCloud Connector server or node.

Note

If you are obtaining certificates from a Windows Server 2008 Certificate Authority, select the Web Server template while requesting the certificate. Ensure that the Issuer field contains an Organization value. If there is no Organization value in the certificate, you might get an error while selecting the SSL option.

1

Log in to the console of the vCloud Connector server or vCloud Connector node as admin.

The default password is vmware.

2

If the certificates that you obtained from your Certificate Authority are not in the X.509 format, convert them to the X.509 format.

openssl pkcs7 -in <path/../certificate.cer> -print_certs | openssl x509 > <path/../certificate.cer>

Note

If the certificate is already in the X.509 format, you might get an error.

3

At the prompt, change directory.

cd /usr/local/tcserver/vfabric-tc-server-standard/server_or_agent/conf

4

Import the root certificate.

/usr/java/default/bin/keytool -import -trustcacerts -alias root -file <location of root .cer file> -keystore tcserver.jks -storepass changeme

5

Import intermediate certificates. Ensure that you import multiple intermediate certificates in an order of signing chain.

/usr/java/default/bin/keytool -import -trustcacerts -alias intermediate -file <location of intermediate .cer file> -keystore tcserver.jks -storepass changeme

Note

You must provide a unique alias name for every intermediate certificate you upload.

6

Import the signed certificate.

/usr/java/default/bin/keytool -import -trustcacerts -alias hcserver_or_hcagent -file <location of .cer file> -keystore tcserver.jks -storepass changeme

7

Enable SSL.

a

Go to the server or node Admin Web console at https://vCCServer_or_Node_IPaddress:5480.

b

Log in as admin.

The default password is vmware.

c

For the server, click the Server tab, then click the SSL tab. For the node, click the Node tab, then click the SSL tab.

d

Click Enable SSL.

Note

You can ignore the following message: "vCloud Connector server hostname does not match CN in SSL certificate."

After you install valid certificates, you must do the following.

Deselect the Ignore SSL Certificate flag for each node for which you installed a valid certificate and update the node's registration with the vCloud Connector server.

a

Go to the vCloud Connector server Admin Web console at https://vCCServerIPaddress:5480.

b

Log in as admin. The default password is vmware.

c

Click the Nodes tab.

d

Click the gears icon next to the node and select Edit.

e

Deselect Ignore SSL Certificate, then click Update.

See also Register vCloud Connector Nodes with vCloud Connector Server.