May 06 2014

vCloud Director SSL fingerprint mismatch detected and wildcard certificate configuration

During a vCloud Director (vCD) version 5.5 implementation the other week we started out with using self signed certificates for the vCD cells and a company external (purchased) wildcard certificate for the load balancer facing the internet.
I have used this setup (not wildcard certificates) quite a few times for e.g. vCD version 1.5 & 5.1 and basically the customer makes the decision about what certificates to use. I can only advice my customers to use non self signed certificates.
However, since vCD 5.5  the firewall and vCD cells certificates must match. If they don’t you will get a SSL fingerprint mismatch error when trying to upload a file to vCD (to the transfer area).

Screen Shot 2014-05-05 at 14.02.33

Screen Shot 2014-05-05 at 13.13.18

To avoid this you have to configure the same certificate (the purchased wildcard one in my case) for the vCD cell/cells and the load balancer.

Below are the steps i took to configure the vCD cells to use the purchased certificate. I used the keytool binary found in the directory /usr/java/jre1.6.0_31/bin/ in the virtual machine (VM) running CentOS where the vCD cell is installed.

1. Get the private key from the certificate.pfx file:

  • openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
  • Copy the private key from the certificate.cer file to a new file called private.key

2. Create pfx including alias for http and console proxy.

  • openssl pkcs12 -export -in certificate.cer -inkey private.key -name http -passout pass:passwd -out http.pfx
  • openssl pkcs12 -export -in certificate.cer -inkey private.eky -name consoleproxy -passout pass:passwd -out consoleproxy.pfx

3. Import the two above created pfx files

  • ./keytool -importkeystore -srckeystore /opt/certificates/http.pfx -srcstoretype PKCS12 -destkeystore /opt/keystore/cloudcerts.ks -deststoretype JCEKS -deststorepass passwd -srcalias http -destalias http -srcstorepass passwd
  • ./keytool -importkeystore -srckeystore /opt/certificates/consoleproxy.pfx -srcstoretype PKCS12 -destkeystore /opt/keystore/cloudcerts.ks -deststoretype JCEKS -deststorepass password -srcalias consoleproxy -destalias consoleproxy -srcstorepass password

4. Import intermediate certificate to keystore.

  • ./keytool -importcert -alias intermediate -file /opt/certificaates/intermediate.crt -storetype JCEKS -keystore /opt/keystore/cloudcerts.ks -storepass passwd

5. Import root certificate to keystore.

  • /keytool -importcert -alias root -file /opt/certificates/RootCA.crt -storetype JCEKS -keystore /opt/keystore/cloudcerts.ks -storepass passwd

6. Copy the keystone /opt/keystore/cloudcerts.ks to the second vCD cell

7. Activate the new certificate on both vCD cells.

  • service vmware-vcd stop
  • /opt/vmware/vcloud-director/bin/configure -> point to the cloudcerts.ks file -> used the password passwd
  • Start the vCD cell
  • Verify the vCD cell starts ok by tailing the cell log.
    • tail -f /opt/vmware/vcloud-director/logs/cell.log

You can verify the keystoore by running the following command.

  • ./keytool -list -keystore /opt/keystore/cloudcerts.ks -storetype JCEKS -storepass passwd

When completed you can successfully upload file to vCD.

Screen Shot 2014-05-05 at 13.26.13

1 comment

  1. Sophie

    Such a wonderful and very detailed article explaining everything one need to know about wildcard ssl configuration with VCloud.

    Why don’t you visit our official blog and share your experience with our readers?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">