Replace the vCenter Server Certificate Files in Region A

After you replace the Platform Services Controller certificate, you replace the vCenter Server machine SSL certificate. You generate a vCenter Server certificate manually or by using the CertGenVVD tool.

About this task

You replace certificates twice, once for each vCenter Server instance. You can start replacing certificates on Management vCenter Server mgmt01vc01.sfo01.rainpole.local first.

vCenter Server FQDN Files for Certificate Replacement Replacement Order
mgmt01vc01.sfo01.rainpole.local - mgmt01vc01.sfo01.key

  • mgmt01vc01.sfo01.3.pem (CertGenVVD2.1)

  • mgmt01vc01.sfo01.1.chain.cer (Manually)

  • chainRoot64.cer|After you replace the certificate on the management Platform Services Controller.| |comp01vc01.sfo01.rainpole.local|- comp01vc01.sfo01.key

  • comp01vc01.sfo01.3.pem (CertGenVVD2.1)

  • comp01vc01.sfo01.1.chain.cer (Manually)

  • chainRoot64.cer|After you replace the certificate on the compute Platform Services Controller.|

Procedure

  1. Use the scp command, FileZilla, or WinSCP to copy the machine and CA certificate files to the /tmp/ssl directory on the Management vCenter Server.

  2. Log in to the vCenter Server instance by using Secure Shell (SSH) client.

    1. Open an SSH connection to the vCenter Server Appliance mgmt01vc01.sfo01.rainpole.local.
    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|root| |Password|vcenter_server_root_password|

  3. Replace the CA-signed certificate on the vCenter Server instance.

    1. Add the root certificate to the VMware Endpoint Certificate Store as a Trusted Root Certificate using the following command and enter the vCenter Single Sign-On password when prompted.

      {#GUID-868D7969-4907-46B9-A9A0-5B094B6147F6__ID-3281-00000176 .pre .codeblock} /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ssl/chainRoot64.cer

    2. Rename mgmt01vc01.sfo01.3.pem to mgmt01vc01.sfo01.1.chain.cer.

      {#GUID-868D7969-4907-46B9-A9A0-5B094B6147F6__codeblock_9BACCCC85B344956B2E1D2CAA8BC1A87 .pre .codeblock} mv /tmp/ssl/mgmt01vc01.sfo01.3.pem /tmp/ssl/mgmt01vc01.sfo01.1.chain.cer

    3. Start the vSphere Certificate Manager utility on the vCenter Server instance.

      {#GUID-868D7969-4907-46B9-A9A0-5B094B6147F6__codeblock_F8EE064F02E94D55B5CE21192F9E5304 .pre .codeblock} /usr/lib/vmware-vmca/bin/certificate-manager

    4. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name [email protected] and the vsphere_admin_password password.

    5. When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller that is connected to this vCenter Server instance.

      Option

      IP Address of Connected Platform Services Controller

      mgmt01vc01.sfo01.rainpole.local

      172.16.11.61

      comp01vc01.sfo01.rainpole.local

      172.16.11.63

    6. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).

    7. When prompted, provide the full path to the custom certificate, the root certificate file and the key file that you generated earlier, and confirm the import with Yes (Y).

      vCenter Server

      Input to the vSphere Certificate Manager Utility

      mgmt01vc01.sfo01.rainpole.local

      Please provide valid custom certificate for Machine SSL.

      File : /tmp/ssl/mgmt01vc01.sfo01.1.chain.cer

      Please provide valid custom key for Machine SSL.

      File : /tmp/ssl/mgmt01vc01.sfo01.key

      Please provide the signing certificate of the Machine SSL certificate.

      File : /tmp/ssl/chainRoot64.cer

      comp01vc01.sfo01.rainpole.local

      Please provide valid custom certificate for Machine SSL.

      File : /tmp/ssl/comp01vc01.sfo01.1.chain.cer

      Please provide valid custom key for Machine SSL.

      File : /tmp/ssl/comp01vc01.sfo01.key

      Please provide the signing certificate of the Machine SSL certificate.

      File : /tmp/ssl/chainRoot64.cer

  4. After Status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.

  5. Log into the vSphere Web client to verify that certificate replacement is successful.

    1. Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.

    2. Log in using the following credential

      |Settings|Values| |:-------|:-----| |User name|[email protected]| |Password|vsphere_admin_password|

  6. After you replace the certificate on the mgmt01vc01.sfo01.rainpole.local vCenter Server, repeat the procedure to replace the certificate on the compute vCenter Server comp01vc01.sfo01.rainpole.local.

Parent topic: Replace the vCenter Server Certificates in Region A

Next topic: Connect NSX Manager to the Management vCenter Server in Region A

results matching ""

    No results matching ""