VMware Cloud Director 10.x – Replace JCEKS certificate keystore with PKCS12

If you have a certificate.ks keystore that you have carried over from previous VCD versions, is highly likely is a JCEKS based keystore. If you start experiencing SSL issues and go through a SR, Support will ask you to migrate your kesytore to PKCS12 format. Even if is not related. Turns out that the JCEKS format might cause some issues and the recommendation is to migrate to PKCS12.

JCEKS if a proprietary keystore format specific to Java, while PKCS12 is a standard keystore type that can be used in different types of systems. Note that since Java 9, the default keystore type has been replaced by PKCS12.

Migrating to PKCS12 is simple and painless.

If you are a Cloud Provider, most likely you have a multi-VCD  cell setup and your certificate.ks keystore is stored in your NFS transfer share; for convenience and easy deployment, right after the first cell has been configured. This quick post will guide through the migration process.

If you run keytool against your keystore to list your certificates, you will get this message:

Warning:
The JCEKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/vmware/vcloud-director/data/transfer/certificates-JCEKS.ks -destkeystore /opt/vmware/vcloud-director/data/transfer/certificates-JCEKS.ks -deststoretype pkcs12".

As you can see, it even tells you how to perform the change. Note that if you use a keypass for your intermediate and root CA certificates, migration for those specific certificates will fail and only your http and console proxy certificates will be migrated. I prefer to migrate certificates 1:1 to avoid this situation to happen. This means we have four (4) steps to migrate four different certificate types: http, consoleproxy, intermediate and root.

The process goes as follow –  please follow a similar procedure for every certificates type mentioned above:

Migrate your http certificate:

$VCLOUD_HOME/jre/bin/keytool \
-importkeystore \
-srckeystore /opt/vmware/vcloud-director/data/transfer/certificates.ks \
-srcstoretype JCEKS \
-srcstorepass [password_here] \
-srckeypass [password_here] \
-srcalias http \
-destkeystore /opt/vmware/vcloud-director/data/transfer/certificates-pkcs12.ks \
-deststoretype PKCS12 \
-deststorepass [password_here] \
-destkeypass [password_here] \
-destalias http

Migrate your consoleproxy certificate:

$VCLOUD_HOME/jre/bin/keytool \
-importkeystore \
-srckeystore /opt/vmware/vcloud-director/data/transfer/certificates.ks \
-srcstoretype JCEKS \
-srcstorepass [password_here] \
-srckeypass [password_here] \
-srcalias consoleproxy \
-destkeystore /opt/vmware/vcloud-director/data/transfer/certificates-pkcs12.ks \
-deststoretype PKCS12 \
-deststorepass [password_here] \
-destkeypass [password_here] \
-destalias consoleproxy

Migrate your intermediate certificate:

$VCLOUD_HOME/jre/bin/keytool \
-importkeystore \
-srckeystore /opt/vmware/vcloud-director/data/transfer/certificates.ks \
-srcstoretype JCEKS \
-srcstorepass [password_here] \
-srckeypass [password_here] \
-srcalias intermediate \
-destkeystore /opt/vmware/vcloud-director/data/transfer/certificates-pkcs12.ks \
-deststoretype PKCS12 \
-deststorepass [password_here] \
-destalias intermediate

Migrate your root certificate:

$VCLOUD_HOME/jre/bin/keytool \
-importkeystore \
-srckeystore /opt/vmware/vcloud-director/data/transfer/certificates.ks \
-srcstoretype JCEKS \
-srcstorepass [password_here] \
-srckeypass [password_here] \
-srcalias root \
-destkeystore /opt/vmware/vcloud-director/data/transfer/certificates-pkcs12.ks \
-deststoretype PKCS12 \
-deststorepass [password_here] \
-destalias root

Things to be aware of and possible warnings

First of all, there are two certificates, http and console prox, which have a -destkeypass while the other two don’t. If you try to import your intermediate and root certificates, the process will give you a warning/error stating that you that PKCS12 does no support keypass for this kind of certificates.

If you use different password for -destorepass and -destkeypass, you might get a warning telling you that different passwords are not supported/recommended.

It is recommended to use the same password for the root appliance and the certificates.ks keystore. This is to avoid deployment failures when adding more cells and a shared keystore in the NFS transfer is used for deployment.

Other than that, you should be fine by following process above. Please Rename your certificates.ks to something else and certificates-pkcs.ks to certificates.ks.

Run the following command on each VCD cell to import the new signed certificates into VCD as indicated in Cloud director Documentation:

/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p --keystore /opt/vmware/vcloud-director/data/transfer/certificates.ks --keystore-password root-password

Restart vmware-vcd service in every single VCD cells and you are good to go.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.