Generate Manually Key Pairs and Certificate Signing Requests for the ESXi Hosts in Region A

If you plan to manually generate certificates for the ESXi hosts, generate a key pair and Certificate Signing Request (CSR) files for the hosts in the management cluster first and for to the hosts in the shared edge and compute cluster next. Submit the CSR file to the certificate authority for signing.

Before you begin

Verify that the Windows that you use for access to the data center is a part of the sfo01.rainpole.local domain.

About this task

You use the Management vCenter Server to generate the key pair and the CSR files because the appliance already runs the required software for CSR generation installed. You can also use another Linux OS instance that has OpenSSL installed.

Procedure

  1. Log in to the Windows host that has access to your data center.
  2. Create a folder C:\manual-certs\esxhosts.

  3. Log in to mgmt01vc01.sfo01.rainpole.local by using Secure Shell (SSH) client.

    1. Open an SSH connection to the virtual machine mgmt01vc01.sfo01.rainpole.local.

    2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      vcenter_server_root_password

  4. Enable the Bash shell by running the following command.

    {#GUID-8694C66E-5B1B-4346-81D0-BA950B75A249__codeblock_493843384D004115B8BAB64B98BB678A .pre .codeblock} shell

  5. Create a directory to save the certificate signing request and the private key to.

    {#GUID-8694C66E-5B1B-4346-81D0-BA950B75A249__codeblock_B1B0B3259F234FF0833A5C7E013500C8 .pre .codeblock} mkdir /tmp/ssl

  6. Navigate to the temporary directory by running the following command.

    {#GUID-8694C66E-5B1B-4346-81D0-BA950B75A249__codeblock_9F998E7F78CA46479B4BBFE0EFA73C7B .pre .codeblock} cd /tmp/ssl

  7. Generate a private key pair and CSR file for the mgmt01esx01.sfo01.rainpole.local host by running the following command.

    {#GUID-8694C66E-5B1B-4346-81D0-BA950B75A249__codeblock_A472DE8541354230AAD1E23CF2566D6B .pre .codeblock} openssl req -nodes -newkey rsa:2048 -keyout mgmt01esx01.key -out mgmt01esx01.csr -subj "/C=US/ST=CA/L=SFO/O=Rainpole Inc./OU=Rainpole.local/CN=mgmt01esx01.sfo01.rainpole.local"

  8. Repeat 7 to create a key pair and CSR for each of the other hosts in Region A. |Hosts Name|Key File Name|CSR File Name| |:---------|:------------|:------------| |mgmt01esx02.sfo01.rainpole.local|mgmt01esx02.key|mgmt01esx02.csr| |mgmt01esx03.sfo01.rainpole.local|mgmt01esx03.key|mgmt01esx03.csr| |mgmt01esx04.sfo01.rainpole.local|mgmt01esx04.key|mgmt01esx04.csr| |comp01esx01.sfo01.rainpole.local|comp01esx01.key|comp01esx01.csr| |comp01esx02.sfo01.rainpole.local|comp01esx02.key|comp01esx02.csr| |comp01esx03.sfo01.rainpole.local|comp01esx03.key|comp01esx03.csr| |comp01esx04.sfo01.rainpole.local|comp01esx04.key|comp01esx04.csr|

  9. Copy all key and CSR files to the C:\manual-certs\esxhosts directory on the Windows host.

What to do next

Obtain a signed certificate from the Microsoft certificate authority. See Generate CA-Signed Certificates for the SDDC Management Components in Region A .

Parent topic: Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region A

results matching ""

    No results matching ""