Thursday, September 27, 2012

VMware vCenter Orchestrator Trusted Certificate Installation

If you've ever tried to install vCenter Orchestrator 5.0 you'll find the Certificate Request (CSR) generated via the "Server Certificate" option may not work.  I wanted to take the CSR and generate a Server Certificate signed by a trusted authority.  The default certificate is a SHA512 with RSA but the key size was rejected by my Certificate Authority (CA).

After digging into the following docs, keytool and working with Orchestrator SSL, I came up with four keytool commands to delete the existing keystore, regenerate it, export a CSR for my CA and import the resulting PKCS#7 formatted certificate chain.

Ensure the Orchestrator service is stopped before you begin.  In the examples below I've denoted placeholders using <PLACEHOLDER_NAME>.  You will need to replace them with your own settings.  Let's dig in to each command.

First we delete the exsting key named "dunes" from the key store.
keytool -delete -alias dunes -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -storepass dunesdunes

Second we generate a new private/public key pair using SHA512withRSA as our algorithm and a key size of 2048.  The certificate expires after ten years.  You will need to specify the Fully Qualified Domain Name (FQDN), Department, Company, City, State or Province and Country Code.

keytool -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -storepass dunesdunes -genkey -alias dunes  -validity 3650 -keyalg RSA -sigalg SHA512withRSA -keysize 2048 -dname "CN=<YOUR_FQDN>, OU=<DEPARTMENT>, O=<COMPANY_NAME>, L=<CITY>, ST=<STATE/PROVINCE>, C=<COUNTRY_CODE>"

Next we'll export the CSR to a file.  In this example the CSR is saved to C:\vco.csr.
keytool -certreq -alias dunes -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -keypass dunesdunes -file C:\vco.csr

Take the CSR and have it signed by a CA.  Download the PKCS#7 formatted certificate chain or .p7b file from your CA and save it to the vCenter Orchestrator server.

Lastly we import the signed certificate.  Specify the path to the .p7b  file.
keytool -importcert -alias dunes -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -keypass dunesdunes -file <PATH_TO_P7B_FILE>

Start the Orchestrator service and log in via the Orchestrator client.  You should receive zero certificate warnings.