Additional Configuration for Intermediate Certificate Authority in Region B

If you use an intermediate certificate authority on lax01.rainpole.local as certificate signer, CertGenVVD utility only retrieves the intermediate Base 64 certificate from the Microsoft CA. You must create a certificate chain file that also includes the root CA certificate.

Procedure

  1. Log in to the site for certificate request on the lax01.rainpole.local AD server.

    1. Open a browser and go to https://dc51lax.lax01.rainpole.local/certsrv.
    2. Log in using the following credentials. |Setting|Values| |:------|:-----| |User name|ad_administrator| |password|ad_administrator_password|

  2. Download and export the certificates of the intermediate and root CAs.

    1. Click Download a CA certificate, certificate chain, or CRL.
    2. Select Current[lax01-DC01LAX-CA in the CA certificate list, select Base 64 and click Download CA certificate chain.
    3. Save the file as chainroot.p7b.

    4. Open chainroot.p7b.

      The certmgr utility appears.

    5. Navigate to Certificates folder

    6. Right-click lax01-DC01LAX-CA and select All Tasks > Export.

      The Certificate Export Wizard appears.

    7. On the Welcome page, click Next.

    8. Select Base-64 encoded X.509 (.CER) and click Next
    9. On the File to Export page, browse to the C:\CertGenVVD-version\SignedByMSCACerts\lax01-intermediate-ca.cer, click Next and click Finish.
    10. Click Okay when you see a message about successful export.
    11. In the certmgr utility, right click rainpole-DC01RPL-CA and select All Tasks > Export and repeat the steps to save the rainpole.local root CA certificate as C:\CertGenVVD-version\SignedByMSCACerts\rainpole-root-ca.cer.

  3. Create the chainRoot64lax.cer file that includes both root and intermediate CA certificates.

    1. Open rainpole-root-ca.cer in a text editor.
    2. Copy the entire content and close the file.
    3. Open lax01-intermediate-ca.cer in a text editor, press Enter to insert a new line at the end of the file, paste the rainpole-root-ca.cer content.
    4. Save the file as chainRoot64lax.cer to the C:\CertGenVVD-version\SignedByMSCACerts\.
    5. Close all files.
    6. Verify that the new file C:\CertGenVVD-version\SignedByMSCACerts\chainRoot64lax.cer exists and contains the content of both lax01-intermediate-ca.cer and rainpole-root-ca.cer.

  4. Refresh all MSCA-signed certificates with new intermediate and root CAs.

    1. Open the C:\CertGenVVD-version folder.
    2. Make a copy of the SignedByMSCACerts folder and name is as SignedByMSCACerts-backup.
    3. Rename the SignedByMSCACerts folder to CSRCerts.
    4. Open the C:\CSRCerts\RootCA\ folder.
    5. Delete the Root64.cer file
    6. Create a copy of chainRoot64lax.cer as Root64.cer.
    7. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.

    8. Run the following command to regenerate all certificate files and packages using the new Root64.cer.

      {#GUID-06EFC0B7-3AA8-47F2-B278-982E44523ADA__codeblock_A7CD2B62ABBC4700B02E109AF4CCBD12 .pre .codeblock} .\CertGenVVD-version.ps1 -CSR -extra

    9. Rename the CSRCerts folder back to SignedByMSCACerts.

Parent topic: Use the Certificate Generation Utility to Generate Certificates Automatically in Region B

Previous topic: Use the Certificate Generation Utility to Generate CA-Signed Certificates for the SDDC Management Components in Region B

results matching ""

    No results matching ""