Importing vCloud Air SSL Certificate on the vCenter Server Appliance 5.x

I’m playing around a bit with vCloud Air and Virtual Private Cloud OnDemand, and in order to set up the vCloud Hybrid Service plugin in the vSphere Web Client you need to import the vCloud Air SSL certificate into vCenter. If the certificate isn’t present in the vCSA keystore when you try to authenticate with vCloud Air, you get a “Server Certificate not Verified” error, and you will be unsuccessful in configuring the plugin.

The Using the vCloud Hybrid Service vSphere Client Plug-in document outlines how this can be accomplished, but it’s based on downloading the SSL certificate via a browser and then importing it into the vCenter Keystore. Since I mostly run the vCenter Server Appliance, I didn’t want to bother with downloading it from one of my desktops, and copying the files over to the vCSA for import.

I mean, there has to be a better way to do that, via the command line, right? Indeed there is, this little one-liner downloads and formats the certificate from to /tmp on the vCSA, and then proceeds to import it into the keystore.


[cc lang=”bash” width=”100%” theme=”blackboard” nowrap=”0″]
echo -n | openssl s_client -connect | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > /tmp/vchs.cer && /usr/java/jre-vmware/bin/keytool -alias vchs -v -keystore /usr/lib/vmware-vsphere-client/server/configuration/keystore -storepass changeit -import -file /tmp/vchs.cer

All you have to to is press ‘y’ to confirm the import:
[cc lang=”bash” width=”100%” theme=”blackboard” nowrap=”1″]
Trust this certificate? [no]: y
Certificate was added to keystore
[Storing /usr/lib/vmware-vsphere-client/server/configuration/keystore]
vcenter:/tmp #

And there it is, you can now add your vCloud Air credentials via the vSphere Web Client, without having to copy any files from your browser/desktop to the vCSA.

Importing SSL Certificates to Raspberry Pi Thin Client

When playing around with the Raspberry Pi Thin Client, I ran into an issue with the SSL certificates for the Citrix Receiver client. For some reason it didn’t want to play with the certificates installed on the server side, and popped the following error message:

You have not chosen to trust “AddTrust External CA Root”, the issuer of the server’s security certificate.

Thankfully there is a quick fix for this! Since Iceweasel is also in the RPTC distribution, and it has a lot more SSL root CA certificates included by default, all that was required (in my case) was to link the certificates it has with the certificates the Citrix Receiver client can use.

Issue the following command to create symlinks for the “missing” certificates in the Citrix Receiver keystore:

[cc lang=”bash” width=”100%” theme=”blackboard” nowrap=”0″]
sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/

supply in the root password, which in RPTC is raspberry by default, and if your CA’s root certificate is included with Iceweasel, you should now be able to connect without getting certificate errors.

It’s pretty neat to be able to use small Raspberry Pi as a Thin Client like this, but it’s too bad that it does not support VMware Horizon View using PCoIP (yet?), only RDP, something I have yet to test since my demo environment runs PCoIP only at the moment.

Thanks again to Simplivity for their Raspberry Pi vEXPERT gift!