Skip to content

Runecast | SSL certificate implementation

Last week I decided to replace the self-signed SSL certificate in an application called Runecast. In a nutshell, Runecast is an application that comes to the aid of everyone who manages a VMMware environment (and not only that), but is also very helpful in planning upgrades of the physical hosts. In another post I will try to present this product in more detail, and if you would like to read more about it now, you can do so here.

Coming back to the topic, replacing an SSL certificate is generally not difficult and if the team responsible for Certificate Authority (CA) works efficiently, it is a task that can be done over your morning coffee. The only problem with this implementation, in my opinion, is a very short manual from the Runecast (available here), which, in my experience, is missing several important things, so I would like to briefly describe them later.

The first step you need to take is to generate a CSR file, a certificate signing request. Additionally, during this operation, I generated a new private key (KEY). Of course, this must be done from the server appliance itself using the RCADMIN user.

After connecting via SSH to the server, use the openssl command, but before we get to that, we need to set some values that will be helpful.

RCA_FQDN refers to the FQDN of your server, and RCA_SANS – SAN is a Subject Alternative Name, i.e. all the names or addresses under which your Runecast application can be reached by all users using it. In my case, it is the server's FQDN, an additional alias that was set in DNS and the IP address (so I have 3 SANs).


RCA_SANS=”DNS:${RCA_FQDN}, DNS:runecast.X.X, IP:10.X.X.X”


and the full command looked like this


openssl req -out rc2.csr \
-keyout rc2.key \
-newkey rsa:2048 \
-nodes \
-subj “/C=PL/ST=Masovia/L=Warsaw/O=XXX/OU=XXX/CN=${RCA_FQDN}” \
-addext “subjectAltName = ${RCA_SANS}”



As a result of this operation, we will receive two files

To verify whether everything went as intended, we can use the command


openssl req -text -noout -verify -in rc2.csr



We leave the rc2.key file on the server because it is our newly generated private key. The CSR file will be used to generate a request to the CA.
For this purpose, I transferred the CSR file from the server to my laptop and using the command below, I generated a request to get a new certificate for me.

After sending such a request, I had to wait to receive information from the team responsible for certificates that the request has been completed and our certificate is ready for download.


Collecting the certificate

To download the certificate, we will use CMD again

The result will be a CRT file, i.e. our certificate. However, because the Runecast application supports the PEM format, so in order to determine the entire inheritance chain we will have to modify our certificate.

The new certificate we will create will consist of:

  • New certificate
  • Intermediate Certificate
  • Root CA certificate

Additionally, the certificate must be prepared in an appropriate format

(Your Primary SSL certificate: your_domain_name.crt)
(Your Intermediate certificate: DigiCertCA.crt)
(Your Root certificate: TrustedRoot.crt)


More information about the PEM format can be found on the Digicert website.

After doing this, you need to transfer the new certificate to the Runecast server.
Then we go to the /etc/runecast/cert folder to backup the current certificates by renaming them

We transfer the private key and our certificate

The next step is to grant appropriate permissions to both files by using the commands below

sudo chown root:rctomcat rc2.crt
sudo chown root:rctomcat rc2.key
sudo chmod 640 rc2.crt
sudo chmod 640 rc2.key

After changing permissions and before restarting the service, we can make sure that the nginx service is working properly

When the test was successful, we can restart the Nginx service

From now on, the connection to the Runecast application is secure.


Consultations on VMware technology and more.



If there is a topic you would like to discuss, you can contact me here.