Administer > Add an SSL certificate to Virtualization Manager

Add an SSL certificate to VMAN

You can replace the SSL certificate included with Virtualization Manager with one of your own. The following instructions supports certificates generated from Certificate Authorities not in Java's Trusted Certificates Keystore.

When you use the su command (switch user), you open the computer to security risks. When you log in as root, you have full system privileges, and you can perform any commands. Some of these commands are destructive.

  1. Log in to the virtual appliance by using the console or an SSH connection.
  2. Enter the sudo su - root command.
  3. Go to the java bin folder on the virtual appliance. This is generally in the /usr/java/jdkX/bin folder, where X represents the jdk version number.
  4. You can import the Trust Chain certificates into Java's Trusted Certificates Keystore. For example:

    keytool -import -trustcacerts -file /home/admin/ca-root.cer -alias ServerName-CA -keystore /usr/java/jdk1.8.0_121/jre/lib/security/cacerts
    keytool -import -trustcacerts -file /home/admin/ca-intermediate.cer -alias jsmith-ServerName-CA -keystore /usr/java/jdk1.8.0_121/jre/lib/security/cacerts
  5. Enter the following command to create the initial keystore. Enter the location and name of your new keystore for /etc/hyper9/mykeystore. You can also add -daysvalid and the number of days the certificate is valid. For example:
    ./keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/hyper9/mykeystore

    If you use the default keystore, hyper9-keystore, you do not need to modify the server.xml file.

  6. When prompted, enter a new keystore password and enter the required information for the new certificate. For example:

    Enter keystore password: password
    Re-enter new password: password
    What is your first and last name?
    [Unknown]:  solarwinds.test.com
    What is the name of your organizational unit?
    [Unknown]:  IT
    What is the name of your organization?
    [Unknown]:  Company IT
    What is the name of your City or Locality?
    [Unknown]:  Austin
    What is the name of your State or Province?
    [Unknown]:  TX
    What is the two-letter country code for this unit?
    [Unknown]:  US

    Provide your domain name instead of the first and last name. If you do not use the domain name for the name, you will continue to receive certificate errors.

    This information is displayed to users who try to access VMAN through a secure connection.

  7. Type yes when prompted to confirm your new key information.

    Is CN=solarwinds.test.com, OU=IT, O=Company IT, L=Austin, ST=TX, C=US correct?
    [no]:  yes
  8. When prompted for the key password, enter the new keystore password. This password is for the Tomcat Key, leave it blank to keep it the same as the keystore password:

    Enter key password for <tomcat> password
    (RETURN if same as keystore password):
    Re-enter new password: password
  9. If you did not import the certificates, you can import them at this point into the Keystore. You may not be required to complete these commands if you imported the certificates into the Java's Trusted Certificates Keystore. Enter the keystore location and/or name for mykeystore.

    keytool -import -trustcacerts -alias root -file ca-root.cer -keystore mykeystore
    keytool -import -trustcacerts -alias intermediate -file ca-intermediate.cer -keystore mykeystore
  10. Modify the owner of the keystore by entering the following command, where mykeystore is the name of your keystore:

    chown hyper9:hyper9 /etc/hyper9/mykeystore
  11. Change the permissions on the keystore by entering the following command, where mykeystore is the name of your keystore:

    chmod 755 /etc/hyper9/mykeystore
  12. Generate a CSR from the Tomcat key, where mykeystore is the name of your keystore:

    cd /usr/java/jdk1.8.0_121/bin
    ./keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore mykeystore
    Enter keystore password: password

    The results will look like random letters, numbers, and symbols. The following is a generic example:

    [root@servername bin]# more certreq.csr
    -----BEGIN NEW CERTIFICATE REQUEST-----
    YYYaaaaBBbb1234ExyHuhSaAAA56789AJBgNVBAgTAlQQVQQHABCDEF99g+HIJKL
    BBhhHH92y83764+lksdcnhIHuiwHHYGTfTFOKJOj*IxDjAMBgNVBAsTBVRCIElUX
    YYYaaaaBBbb1234ExyHuhSaAAA56789AJBgNVBAgTAlQQVQQHABCDEF99g+HIJKL
    BBhhHH92y83764+lksdcnhIHuiwHHYGTfTFOKJOj*IxDjAMBgNVBAsTBVRCIElUX
    YYYaaaaBBbb1234ExyHuhSaAAA56789AJBgNVBAgTAlQQVQQHABCDEF99g+HIJKL
    ShjgBgw4AnJ7n+EvUaO/phDNCOdz4QVGZU/bv9qrpLDaK4v6u7ycz+KfFaD7Tq0x
    X8gjzM8Z5nVc30g/SE1iaAuzxNkP4cbNSXKrdtNF5jwM6ngXl2RS+JGRBDJ6Mxy+
    BBhhHH92y83764+lksdcnhIHuiwHHYGTfTFOKJOj*IxDjAMBgNVBAsTBVRCIElUX
    YYYaaaaBBbb1234ExyHuhSaAAA56789AJBgNVBAgTAlQQVQQHABCDEF99g+HIJKL
    hvcNAQkOMSEwHzAdBgNVHQ4EFgQU6tjDLTfZzQmQCf03ALjjJgxWo74wDQYJKoZI
    YYYaaaaBBbb1234ExyHuhSaAAA56789AJBgNVBAgTAlQQVQQHABCDEF99g+HIJKL
    6zFWDNhZdGsjWCfepRTHlqbtbjrNYxsy+qSOhRcSS5qNPwFv1XaWrpXAKA4QixkB
    F3kySF9ZOZ9VnVE8sUYn14lIG8rWF3Ln5eSTLHFLBO6LR0O+NPpy9E4cV5qhGK10
    G0lcj7dXVGW1L4zp/Ysqb2FJbyLv0EqzCmk25zYU2XAOJF+6XxkjNXU+5a5hwRyh
    2LbabbA1LiWNCxaZxkgYSVcfbHryngpIPT872UtDwHuNPH+ydy8WiZByjOGl9sF+
    HWpbaRC89WBEpL85C2hsau5X8/a8bWHBqhfq9vk=
    -----END NEW CERTIFICATE REQUEST-----
  13. On the server use the certreq tool to submit the certificate:

    PS C:\it> certreq -attrib "CertificateTemplate:WebServer4noenroll" –submit solarwindsvm.req
  14. Save the certificate to the desktop.

  15. Use WinSCP to move to SolarwindsVM: /home/admin/solarwindsvm.cer

  16. Export your keystore to new Keystore in PKCS12 format. For example:

    keytool -v -importkeystore -srckeystore tomcat.pkcs12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
  17. Extract the Tomcat private key:

    openssl pkcs12 -in new-store.p12  -nodes -nocerts -out key.pem
  18. Combine the private key and certificate into one file. For this example, it is called tomcat.pem:

    cat key.pem >> tomcat.pem
    cat solarwindsvm.cer cer >> tomcat.pem
  19. Convert the combined file to PKCS12 format. For this example, converting the tomcat.pem file.

    openssl pkcs12 -export -out tomcat.pkcs12 -in tomcat.pem