VMware Cloud Community
LooseMoose
Enthusiast
Enthusiast
‎08-15-2017 06:58 PM

Using existing wildcard SSL certificates

Hi all,

I am deploying a new vCD environment. Our HTTP and CONSOLEPROXY need to use the same wildcard SSL certificate. This is an existing GeoCerts certificate so I cannot request using CSR. I've found the documentation very lacking on this front, so far I've been able to:

1. Create the keystore: ./keytool  -genkey -alias http -keyalg RSA -keysize 2048 -keystore /opt/keystore/domain_com.jks. I filled in all the DN information and a keystore password.

2. Import the root cert: ./keytool -storetype JCEKS -storepass ******** -keystore /opt/keystore/domain_com.jks -import -alias root -file /opt/keystore/Geotrust_root.cer

3. Import the intermediate cert: ./keytool -storetype JCEKS -storepass ******** -keystore /opt/keystore/domain_com.jks -import -alias intermediate -file /opt/keystore/GeoTrust_intermediate_Primary.cer

I get stuck at importing the HTTP certificate:

Import the HTTP cert: ./keytool -storetype JCEKS -storepass ******** -keystore /opt/keystore/domain_com.jks -import -alias http -file /opt/keystore/wildcard_domain_com.cer

I receive the error "keytool error: java.lang.Exception: Public keys in reply and keystore don't match"

I can import the same certificate to the CONSOLEPROXY alias fine.

Looking at the certificates afterwards, they are all there and show the thumbprints.

0 Kudos
2 Replies
mjha
Hot Shot
Hot Shot
‎08-21-2017 04:06 AM

Did you checked these articles ?

vCloud Director and Wildcard SSL Certificates - SFlanders.net

vCloud Director SSL fingerprint mismatch detected and wildcard certificate configuration » VCDX56

Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly. Manish Jha | Operations Support Engineer | vCloud Air Operations vExpert 2015-17 | vExpert-NSX | vExpert-Cloud | VCAP6-DCV | VCP6-DCV | RHCE-7 Website : http://vstellar.com
LooseMoose
Enthusiast
Enthusiast
‎08-21-2017 04:13 PM

Thanks for the reply.

The first article doesn't look to apply to my situation. I've had a thorough read through the second article and it seems more relevant, however I'm having great trouble with the first steps:

1. I download the * certificate from GeoCerts, it comes as a .P7B file. As I read the article, I must get it to a .PFX format to allow me to get the private key?

2. According to GeoCerts article How to convert a certificate into the appropriate format  | GeoTrust I must first convert .P7B to .CER openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer and then .CER and Private Key to .PFX openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer

What's getting me stuck is the '-inkey privateKey.key'...it's referencing a file that isn't created from the initial .P7B to .CER conversion. GeoCerts don't provide the private key file The .CER file produced from the .P7B to .CER conversion includes three certificates (I assume root, intermediate and wildcard).

0 Kudos