Generate Manually Key Pair and Certificate Signing Request for vCenter Server in Region B

If you plan to generate manually a CA-signed certificate for vCenter Server in Region B, you can generate a certificate signing request (CSR) and submit it to the CA for signing.

Before you begin

Verify that the Windows that you use for access to the data center is a part of the lax01.rainpole.local domain.

About this task

You generate a CSR on the vCenter Server instances by using the vSphere Certificate Manager utility, and obtain custom certificates that are signed by the intermediate certificate authority available on the child AD servers.

Procedure

1. Log in to a Windows host that has access to the data center as an administrator.

2. Log in to the vCenter Server Appliance for the management cluster by using a Secure Shell (SSH) client.

   1. Open an SSH connection to the vCenter Server instance by using an SSH client. |vCenter Server|Virtual Appliance FQDN| |:-------------|:---------------------| |Management vCenter Server|mgmt01vc51.lax01.rainpole.local| |Compute vCenter Server|comp01vc51.lax01.rainpole.local|

   2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|root| |Password|vcenter_server_root_password|

3. Enable the Bash shell by running the following commands.

   {#GUID-08E10D85-57D5-41BA-8809-CDBAA4684CA0__codeblock_F93E9706125F41E2A6A7265646FCC1E2 .pre .codeblock} shell

4. Create a directory to save the certificate signing request and private key to.

   {#GUID-08E10D85-57D5-41BA-8809-CDBAA4684CA0__codeblock_4B35913778E540BBABAC84B9A02F800F .pre .codeblock} mkdir /tmp/ssl

5. Start the vSphere Certificate Manager utility.

   {#GUID-08E10D85-57D5-41BA-8809-CDBAA4684CA0__codeblock_F7ACEF786D4244F3A84FD63B62886C53 .pre .codeblock} /usr/lib/vmware-vmca/bin/certificate-manager

6. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name [email protected] and the vsphere_admin_password password.

7. When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller that manages this vCenter Server instance. |vCenter Server|IP Address of Connected Platform Services Controller| |:-------------|:---------------------------------------------------| |mgmt01vc51.lax01.rainpole.local|172.17.11.61| |comp01vc51.lax01.rainpole.local|172.17.11.63|

8. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate), and enter /tmp/ssl for the directory to save the certificate signing request and private key to.

9. Provide the following settings to configure certool.cfg and close the vSphere Certificate Manager utility.

   |Setting|Value on the Management Platform Services Controller|Value on the Compute Platform Services Controller| |:------|:---------------------------------------------------|:------------------------------------------------| |Country|US|US| |Name|mgmt01vc51.lax01.rainpole.local|comp01vc51.lax01.rainpole.local| |Organization|Rainpole Inc.|Rainpole Inc.| |OrgUnit|Rainpole.local|Rainpole.local| |State|California|California| |Locality|Palo Alto|Palo Alto| |IPAddress|-|-| |Email|[email protected]|[email protected]| |Hostname|mgmt01vc51.lax01.rainpole.local|comp01vc51.lax01.rainpole.local|

   The utility create CSR files vmca_issued_csr.csr and vmca_issued_key.key in the /tmp/ssl folder.

10. Rename the vmca_issued_csr.csr and vmca_issued_key.key files to match the virtual machine name of the vCenter Server instance. |vCenter Server|Key and CSR File Names|Command| |:-------------|:---------------------|:------| |mgmt01vc51.lax01.rainpole.local|- mgmt01vc51.lax01_ssl.csr

    • mgmt01vc51.lax01_ssl.key|mv vmca_issued_csr.csr mgmt01vc01.lax01_ssl.csr

    mv vmca_issued_key.key mgmt01vc01.lax01_ssl.key| |comp01vc51.lax01.rainpole.local|- comp01vc51.lax01_ssl.csr

    • comp01vc51.lax01_ssl.key|mv vmca_issued_csr.csr comp01vc51.lax01_ssl.csr

    mv vmca_issued_key.key comp01vc51.lax01_ssl.key|

11. If you plan to generate manually a certificate for the other vCenter Server instance in Region B, repeat 2 to 10.

12. Copy the .csr file to the C:\manual-certs\vc directory on the Windows host.

    |vCenter Server|Directory on the Windows host| |:-------------|:----------------------------| |Management vCenter Server|C:\manual-certs\vc\mgmt01vc51.lax01_ssl.csr| |Compute vCenter Server|C:\manual-certs\vc\comp01vc51.lax01_ssl.csr|

    Use the scp command, FileZilla, or WinSCP to copy the file.

What to do next

Obtain a signed certificate from the Microsoft certificate authority. See Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region B .

Parent topic: Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region B