If you have not yet replaced the self-signed certificates in your vCloud Connector server and vCloud Connector nodes, you need to do so before production use.

In a production environment, vCloud Connector requires root, intermediate, and signed certificates for the vCloud Connector server and nodes. All three certificates are required. The certificates must be in the X.509 format.

If your Certificate Authority (CA) only issues two certificates, upload both.

Note

If you are obtaining certificates from a Windows Server 2008 Certificate Authority, select the Web Server template while requesting the certificate. Ensure that the Issuer field contains an Organization value. If there is no Organization value in the certificate, you might get an error while selecting the SSL option.

Certificates are added to the /usr/local/tcserver/vfabric-tc-server-standard/agent_or_server/conf/tcserver.jks keystore.

When you add valid certificates and enable SSL for a node, you must also import the corresponding CA root certificate into the trusted keystore of the vCloud Connector server and all other vCloud Connector nodes. See Add CA Root Certificate to Trusted Keystore.

vCloud Connector supports wildcard certificates.

1

Go to the Admin Web console of the vCloud Connector server or node at https://vCCServer_or_Node_IPaddress:5480.

2

Log in as admin.

The default password is vmware.

3

For vCloud Connector server, click the Server tab, then click the SSL tab. For vCloud Connector node, click the Node tab, then click the SSL tab.

4

Create a new private key if your Certificate Authority requires you to do so. You can create a 2048-bit key either through the Admin Web console or the command line interface.

Note

For a wildcard certificate with a Common Name containing a special character such as *, generate the key from the command line as the Common Name field in the Admin Web console does not support special characters.

To generate a 2048-bit key through the Admin Web console, complete these steps.

a

In the Generate New Key section of the Manage SSL Certificates page, specify the following options.

Option

Description

Public key algorithm

The encryption algorithm: RSA or DSA

Public key size

The key size.

You can only generate a 2048-bit key.

Common Name

The IP address or fully qualified domain name of the server or node. For example:

10.10.10.10

or

myNode.mycompany.com

Organizational Unit

Your department name.

Organization

Your company name.

Locality

The city in which your company is based.

State

The state in which your company is based.

Country Code

The country in which your company is based.

b

Click Generate Key.

To generate a 2048-bit key using the command line interface, complete these steps.

a

Log in to the vCloud Connector server or node console as admin.

The default password is vmware.

b

Change directory. For the server, change to this directory.

cd /usr/local/tcserver/vfabric-tc-server-standard/server/conf

For the node, change to this directory.

cd /usr/local/tcserver/vfabric-tc-server-standard/agent/conf

c

Delete the existing key.

For the server, use this command.

/usr/java/default/bin/keytool -delete -alias hcserver -keystore tcserver.jks -storepass changeme

For the node, use this command.

/usr/java/default/bin/keytool -delete -alias hcagent -keystore tcserver.jks -storepass changeme

d

Generate the new 2048-bit key.

For the server, use this command.

/usr/java/default/bin/keytool -genkey -keyalg RSA -keysize 2048 -alias hcserver -validity 1095 -keystore tcserver.jks -storepass changeme -keypass changeme

For the node, use this command.

/usr/java/default/bin/keytool -genkey -keyalg RSA -keysize 2048 -alias hcagent -validity 1095 -keystore tcserver.jks -storepass changeme -keypass changeme

e

Log out of the console.

5

In the Admin Web console, click Generate and download CSR to generate a Certificate Signing Request and download it.

The vCloud Connector server file is named hcserver.csr. The vCloud Connector node file is named hcagent.csr.

6

Obtain certificates from your CA using the .csr files you downloaded.

Note

If you are obtaining certificates from a Windows Server 2008 Certificate Authority, select the Web Server template while requesting the certificate. Ensure that the Issuer field contains an Organization value. If there is no Organization value in the certificate, you might get an error while selecting the SSL option.

7

If the certificates you obtain from your CA are not in the X.509 format, convert them to the X.509 format by using the following command at the command prompt.

openssl pkcs7 -in <path/../certificate.cer> -print_certs | openssl x509 > <path/../certificate.cer>

Note

You must have the OpenSSL library installed to access this command. You can also use this command from the server or node console.

Note

If the certificate is already in the X.509 format, you might get an error.

8

When you have your certificates in the X.509 format, upload them.

a

In the Root CA certificate field, click Browse and select the root certificate for the vCloud Connector server or node.

b

In the Intermediate CA certificate field, click Browse and select the intermediate certificate for the vCloud Connector server or node.

c

In the Certificate field, click Browse and select the signed certificate for the vCloud Connector server or node.

d

Click Upload.

9

Click Enable SSL at the top of the page.

Note

You can ignore the following message: "vCloud Connector server hostname does not match CN in SSL certificate."

After you install valid certificates, you must do the following.

Deselect the Ignore SSL Certificate flag for each node for which you installed a valid certificate and update the node's registration with the vCloud Connector server.

a

Go to the vCloud Connector server Admin Web console at https://vCCServer_IPaddress:5480.

b

Log in as admin. The default password is vmware.

c

Click the Nodes tab.

d

Click the gears icon next to the node and select Edit.

e

Deselect Ignore SSL Certificate, then click Update.

See also Register vCloud Connector Nodes with vCloud Connector Server.