Home  >  VCF

VMware VCF Offline Depot Certificates

Recently I have been doing some VCF 9 deployments in my homelab environment and I am using an VCF9 offline depot to keep the environment as close as possible to any customer environment. For now, I will not go into the details of installating and configure the offline depot webserver, since there have been various blogs about this topic. (Perhaps I will still do it later).

If you have setup your offline depot with https, which you should do, then during deployment and configuration of VCF 9, there are 2 or 3 places where you have to configure the offline depot:

  • VCF Installer
  • SDDC Manager (for each VCF Instance)
  • Fleet Manager (formerly Aria Suite Lifecycle Manager

If the VCF Installer was deployed outside of the VCF target cluster you have to configure the depot in all three. If the VCF Installer was deployed inside the VCF Target cluster, the VCF Installer is converged to SDDC Manager and this configuration is saved.

Obviously the certificate from the offline depot webserver is not trusted by the VCF Installer, SDDC Manager and Fleet Manager. While configuring the offline depot for Fleet Manager, you can opt to accept the certificate in the UI. Unfortunately for the VCF Installer and SDDC Manager this is not the case.,

Luckily I found [KB316056] – “How to add/delete Custom CA Certificates to SDDC Manager and Common Services trust stores” to add the webserver certificate and I followed the steps like this:

Retrieve the offline depot webserver certificate.

  • Login to VCF Installer appliance with the vcf account and elevate to root with su – command.
  • Check/retrieve webserver certificate with OpenSSL:
openssl s_client -showcerts -connect depot9.infrajedi.local:443 </dev/null
  • copy and paste the contents of the certificate part to a file, for example /home/vcf/depot9.crt.
  • As an alternative you can copy the depot webserver certificate contents from your browser.
  • On VCF Installer appliance retrieve the password for the truststore:
cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key
  • Note the output, which is the password to be used in the next commands. For example wC0-LDpNj4SWxLT2K7

Import the certificate into the VCF (SDDC) Installer trust store with the keytool command:

  • Import the certificate to the trusted certificates store with the following command:
keytool -importcert -alias depot9.infrajedi.local -file /home/vcf/depot9.crt -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store --storepass wC0-LDpNj4SWxLT2K7
  • Note: if the command above throws an error like on of the two below:
-su: !57: event not found
-bash: !57: event not found

Try the same command without the --storepass option and enter the password when asked for.

Import the certificate into the VCF Installer java trust store:

  • Import the certificate to the trusted certificates store with the following command:
keytool -importcert -alias depot9.infrajedi.local -file /home/vcf/depot9.crt -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
  • Note: “changit” is the password
  • Issue a command similar to the following to verify that the new trusted certificate has been added to the SDDC Manager trust store:
keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass wC0-LDpNj4SWxLT2K7

  • Issue the following command to restart the SDDC Manager services:
/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

Putting it all together…

Putting all the commands above to one small script (I have included additional linebreaks for readability)

echo | openssl s_client -connect depot9.infrajedi.local:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /home/vcf/depot9.crt

export trustcert=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)

yes | keytool -importcert -alias depot9.infrajedi.local -file /home/vcf/depot9.crt -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store --storepass $trustcert

yes | keytool -importcert -alias depot9.infrajedi.local -file /home/vcf/depot9.crt -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit

yes | /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

  • Line1: exports certificate from depot server with only the certificate data from BEGIN to END.
  • Line 2: exports the store password for the trusted certificates.
  • Line 3: Imports the depot webserver certificate to the trusted certificates.
  • Line 4: Imports the depot webserver certificate to the CA certificates
  • Line 5: Restarts the SDDC manager service.

That’s it. I hope this was a useful post

Categories:VCF

Tags:

Henk Engelsman

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment