Generate CA-Signed Certificates for the SDDC Management Components in Region B

When you replace the default certificates of the SDDC management products, you can manually generate certificate files that are signed by the intermediate Certificate Authority (CA).

Before you begin

Procedure

  1. Log in to the Windows host that has access to the AD server as an administrator.

  2. Submit a request and download the certificate chain that contains the CA-signed certificate and the CA certificate.

    1. Open a Web Browser and go to http://dc51lax.lax01.rainpole.local/CertSrv/ to open the Web interface of the CA server.

    2. Log in using the following credentials.

      Setting

      Value

      User name

      AD administrator

      Password

      ad_admin_password

    3. Click the Request a certificate link.

    4. Click advanced certificate request.
    5. Open the CSR file .csr in a plain text editor.
    6. Copy everything from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- to the clipboard.
    7. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR file into the Saved Request box.
    8. From the Certificate Template drop-down menu, select VMware and click Submit.
    9. On the Certificate issued screen, click Base 64 encoded.
    10. Click the Download Certificate chain link and save the certificate chain file certnew.p7b to the Downloads folder.

  3. Export the machine certificate to the correct format.

    1. Double-click the certnew.p7b file to open it in the Microsoft Certificate Manager.
    2. Navigate to certnew.p7b > Certificates and notice the three certificates.
    3. Right-click the machine certificate and select All Tasks > Export.
    4. In the Certificate Export Wizard, click Next.
    5. Select Base-64 encoded X.509 (.CER) and click Next.
    6. Browse to C:\certs and specify the certificate name in the File name text box.

    7. Click Next and click Finish.

      The certificate file is saved to the C:\certs folder.

  4. Export the intermediate CA certificate file to the correct format.

    1. Double-click the certnew.p7b file to open it in the Microsoft Certificate Manager.
    2. Navigate to certnew.p7b > Certificates and notice the three certificates.
    3. Right-click the intermediate CA certificate and select All Tasks > Export.
    4. In the Certificate Export Wizard, click Next.
    5. Select Base-64 encoded X.509 (.CER) and click Next.
    6. Browse to C:\certs and enter Intermediate in the File name text box.

    7. Click Next and click Finish.

      The Intermediate.cer file is saved to the C:\certs folder.

  5. Export the root CA certificate file in the correct format.

    1. Right-click the root certificate and select All Tasks > Export.
    2. In the Certificate Export Wizard, click Next.
    3. Select Base-64 encoded X.509 (.CER) and click Next.
    4. Browse to C:\certs and enter Root64 in the File name text box.

    5. Click Next and click Finish.

      The Root64.cer file is saved to the C:\certs folder.

  6. Move the certificate file to the following C:\manual-certs\component folder under the following file names.

    Management Component

    Target Folder

    Certificate File Names

    ESXi hosts for the management cluster

    C:\manual-certs\mgmt01esx.lax01

    mgmt01esx51.cer

    mgmt01esx52.cer

    mgmt01esx53.cer

    mgmt01esx54.cer

    ESXi hosts for the shared edge and compute cluster

    C:\manual-certs\comp01esx.lax01

    comp01esx51.cer

    comp01esx52.cer

    comp01esx53.cer

    comp01esx54.cer

    Platform Services Controller for the management cluster

    C:\manual-certs\lax01psc51.lax01

    lax01psc51.lax01.cer

    vCenter Server for the management cluster

    C:\manual-certs\ mgmt01vc51.lax01

    mgmt01vc51.lax01.cer

    NSX Manager for the management cluster

    C:\manual-certs\mgmt01nsxm51.lax01

    mgmt01nsxm51.lax01.cer

    Platform Services Controller for the shared edge and compute cluster

    -

    vCenter Server for the shared edge and compute cluster

    C:\manual-certs\comp01vc51.lax01

    comp01vc51.lax01.cer

    NSX Manager for the shared edge and compute cluster

    C:\manual-certs\comp01nsxm51.lax01

    comp01nsxm51.lax01.cer

    vSphere Data Protection

    C:\manual-certs\mgmt01vdp51.lax01

    vdp.p7b

    Site Recovery Manager

    C:\manual-certs\srm

    • mgmt01srm01.sfo01.cer

    • mgmt01srm51.lax01.cer

    vSphere Replication

    C:\manual-certs\vr

    • mgmt01vrms01.sfo01.cer

    • mgmt01vrms51.lax01.cer

    vRealize Automation

    vRealize Orchestrator

    vRealize Business

    vRealize Operations Manager

    vRealize Log Insight

    C:\manual-certs\vrli.lax01

    vrli.lax01.cer

  7. Generate a certificate chain file.

    1. Navigate to the directory C:\manual-certs\component.

    2. For each management component, run the following command to create the certificate chain file.

      |Management Component|Certificate Chain File Name| |:-------------------|:--------------------------| |Platform Services Controller for the management cluster|lax01psc51.lax01.chain.cer| |vCenter Server for the management cluster|mgmt01vc51.lax01.chain.cer| |NSX Manager for the management cluster|mgmt01nsxm51.lax01.chain.cer| |Platform Services Controller for the shared edge and compute cluster|Not applicable| |vCenter Server for the shared edge and compute cluster|comp01vc51.lax01.chain.cer| |NSX Manager for the shared edge and compute cluster|comp01nsxm51.lax01.chain.cer| |vSphere Data Protection|Not applicable| |Site Recovery Manager|- mgmt01srm01.sfo01.cer for Region A

      • mgmt01srm51.lax01.cer for Region B| |vSphere Replication|- mgmt01vrms01.sfo01.p12 for Region A

      • mgmt01vrms51.lax01.p12 for Region B| |vRealize Automation|Not applicable| |vRealize Orchestrator|Not applicable| |vRealize Business|Not applicable| |vRealize Operations Manager|Not applicable| |vRealize Log Insight|vrli-lax01.chain.cer|

      ``` {#GUID-9DC7BCC2-7BC6-4A67-B4FC-2CAD32145CCB__codeblock_8F1151EFF67F4A259B87CD7EB82A83ED .pre .codeblock} copy own-certificate-file+Intermediate.cer+Root64.cer component-chain-file

      
For example, run the following command to generate a certificate chain file for the NSX Manager for the management cluster.

``` {#GUID-9DC7BCC2-7BC6-4A67-B4FC-2CAD32145CCB__codeblock_C1FF4FE9CE0C4260A01268CC51EC3EEC .pre .codeblock}
copy mgmt01nsxm51.lax01.cer+Intermediate.cer+Root64.cer mgmt01nsxm51.lax01.chain.cer

  8. Repeat the procedure to generate signed certificates for the other products.

  9. For each vCenter Server instance, create a certificate chain file CACert.chain.cer that contains the certificates of the root and intermediate CA in the vCenter Server specific folder.

    |vCenter Server|Folder| |:-------------|:-----| |Management vCenter Server|C:\manual-certs\mgmt01vc51.lax01| |Compute vCenter Server|C:\manual-certs\comp01vc51.lax01|

    {#GUID-9DC7BCC2-7BC6-4A67-B4FC-2CAD32145CCB__codeblock_0ADAB36F14FD4CA58D41B60D27BBE740 .pre .codeblock} copy Intermediate.cer+Root64.cer CACert.chain.cer

  10. For Site Recovery Manager, convert the signed certificate to PKCS#12 format using OpenSSL on the Windows virtual machines of Site Recovery Manager and create a chain of CA certificates.

    1. On the virtual machine of Site Recovery Manager, open a command prompt, go to C:\manual-certs and locate the following files.

      Region

      Certificate File Name

      Region A

      • mgmt01srm01.sfo01.cer

      • mgmt01srm01.sfo01_ssl.key

      • Intermediate.cer

      • Root64.cer

      Region B

      • mgmt01srm51.lax01.cer

      • mgmt01srm51.lax01_ssl.key

      • Intermediate.cer

      • Root64.cer

    2. Run the following command to generate the PKCS#12 certificate and CA certificate chain.

      Region

      Command

      Region A

      openssl.exe pkcs12 -export -in mgmt01srm01.sfo01.cer -inkey mgmt01srm01.sfo01_ssl.key -name "srmprotected" -passout pass:VMware1! -out mgmt01srm01.sfo01.p12

      copy Intermediate.cer+Root64.cer CACert.chain.cer

      Region B

      openssl.exe pkcs12 -export -in mgmt01srm51.lax01.cer -inkey mgmt01srm51.lax01_ssl.key -name "srmprotected" -passout pass:VMware1! -outmgmt01srm51.lax01.p12

      copy Intermediate.cer+Root64.cer CACert.chain.cer

      This command sets user name srmprotected and password VMware1! for the PKCS#12 file.

    3. Repeat the steps to generate a PKCS#12 file and CACert.chain.cer for Site Recovery Manager in the other region.

  11. For vSphere Replication, generate a PKCS#12 file.

    1. On the Windows host open a command prompt, navigate to the C:\manual-certs directory and run the following command to create CA certificate chain and machine certificate files in the folder for vSphere Replication.

      vSphere Replication

      Command

      vSphere Replication in Region A

      copy Intermediate.cer+Root64.cer CACert.chain.cer

      copy mgmt01vrms01.sfo01.cer+CACert.chain.cer mgmt01vrms01.sfo01.chain.cer

      vSphere Replication in Region B

      copy Intermediate.cer+Root64.cer CACert.chain.cer

      copy mgmt01vrms51.sfo01.cer+CACert.chain.cer mgmt01vrms51.lax01.chain.cer

    2. Copy the CACert.chain.cer file and mgmt01vrms01.sfo01.chain.cer for Region A or mgmt01vrms51.lax01.chain.cer for Region B to the /tmp/ssl folder on the vSphere Replication appliance.

      You can use scp, FileZilla or WinSCP.

    3. Log in to the vSphere Replication appliance again and run the following command to convert the own certificate to PKCS#12 format.

      Specify a password. You must have a password when you upload and install the certificate.

      vSphere Replication

      Command

      vSphere Replication in Region A

      openssl pkcs12 -export -in mgmt01vrms01.sfo01.chain.cer -in keymgmt01vrms01.sfo01_ssl.key -name "vrmsprotected" -passoutpass:VMware1! -out mgmt01vrms01.sfo01.p12

      vSphere Replication in Region B

      openssl pkcs12 -export -in mgmt01vrms51.lax01.chain.cer -in keymgmt01vrms51.lax01_ssl.key -name "vrmsprotected" -passoutpass:VMware1! -out mgmt01vrms51.lax01.p12

    4. Get the internal HMS keystore password:

      {#GUID-9DC7BCC2-7BC6-4A67-B4FC-2CAD32145CCB__codeblock_464D5759CF2E4E2AA58BF0468B99A3CF .pre .codeblock} /opt/vmware/hms/bin/hms-configtool -cmd list | grep truststore

    5. Import the certificate into the HMS truststore:

      {#GUID-9DC7BCC2-7BC6-4A67-B4FC-2CAD32145CCB__codeblock_AE0FF34E68C84AD6A458F90269A34F5C .pre .codeblock} /usr/java/default/bin/keytool -import -trustcacerts -alias root -file /tmp/ssl/CACert.cer -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass keystore_password

    6. Enter yes at the command prompt and press Enter to complete the certificate import process.

    7. Verify that the certificate is present in the HMS truststore.

      {#GUID-9DC7BCC2-7BC6-4A67-B4FC-2CAD32145CCB__codeblock_C1E725FD266B4EAAB6EA407CEF8F1E0F .pre .codeblock} /usr/java/default/bin/keytool -list -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass keystore_password –v

    8. Copy mgmt01vrms01.sfo01.p12 or mgmt01vrms51.lax01.p12 to the dedicated folder on Windows host for access to the data center.

    9. Repeat the steps to generate a PCKS#12 certificate for the vSphere Replication appliance in the other region.

  12. For vRealize Log Insight, on the master node appliance generate a .pem file that contains the key file and the signer and owner certificates.

    1. Copy the CACert.chain.cer file to C:\manual-certs\vrli.lax01.

    2. Generate a vrli.lax01-chain.pem file that contains the host certificate with the intermediate certificate and root certificate, and the host private key.

      {#GUID-9DC7BCC2-7BC6-4A67-B4FC-2CAD32145CCB__codeblock_33A15759EAE9444296D4C38C501951A7 .pre .codeblock} cd C:\manual-certs\vrli.lax01 copy vrli.lax01.cert+CACert.chain.cer+vrli.lax01.key > vrli-lax01-chain.pem

Parent topic: Region B Certificate Replacement

results matching ""

    No results matching ""