Replace the Default Certificate with a Custom Certificate on the ESXi Hosts in Region B

After you obtain signed certificates for the management ESXi hosts in Region B, use it to replace the default VMware Certificate Authority (VMCA) signed certificates on the hosts.

Procedure

  1. Change the certificate mode for the ESXi hosts in the management cluster.

    The hosts are not automatically provisioned with VMCA certificates when you refresh their certificates.

    1. Open a Web browser and go to https://mgmt01vc51.lax01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|[email protected]| |Password|vshpere_admin_password|

    3. In the Navigator, under Hosts and Cluster, select mgmt01vc51.lax01.rainpole.local, and click the Configure tab.

    4. Under Settings, click Advanced Setting and click Edit.
    5. In the Filter box, enter certmgmt and press Enter to display only certificate management properties.
    6. Change the value of the vpxd.certmgmt.mode property to custom and click OK.
    7. From the Home menu, select Administration, and under Deployment on the Administration page select System Configuration.
    8. Under System Configuration, select Services, select the VMware vCenter Server (mgmt01vc51.lax01.rainpole.local ) and select Actions > Restart.

  2. Add the CA root certificate to the vCenter Server TRUSTED_ROOTS store.

    If you already replaced the certificate for mgmt01vc51.lax01.rainpole.local, you added the root certificate to the TRUSTED_ROOTS stores.

    1. Open an SSH connection to mgmt01vc51.lax01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|root| |Password|mgmtvc_root_password|

    3. Copy chainRoot64.cer from the Windows host that you use to access the data center to the temporary directory /tmp/ssl on the vCenter Server Appliance.

      You can use scp, FileZilla or WinSCP.

    4. Run the following command.

      {#GUID-A7763D1D-38C6-4FFE-9912-7A382D9DCA85__codeblock_DFF641942B90446D9B1E6D9F04DE13B4 .pre .codeblock} /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store TRUSTED_ROOTS --alias RainpoleCA.crt --cert /tmp/ssl/chainRoot64.cer

  3. Replace the certificates on ESXi hosts.

    1. Open a Web browser and go to https://mgmt01vc51.lax01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|vcenteradmin| |Password|vshpere_admin_password|

    3. From the Home menu of the vSphere Web Client, select Hosts and Clusters.

    4. Under the LAX01 data center, right-click the mgmt01esx51.lax01.rainpole.local vCenter Server object and select Maintenance Mode > Enter Maintenance Mode.
    5. Select Move powered-off and suspended virtual machines to other hosts in the cluster and click OK.
    6. After the maintenance task is complete, open an SSH connection to mgmt01esx51.lax01.rainpole.local.
    7. Transfer mgmt01esx51.key and mgmt01esx51.cer from the Windows host to the /etc/vmware/ssl directory on the host.

    8. Run the following commands.

      {#GUID-A7763D1D-38C6-4FFE-9912-7A382D9DCA85__codeblock_CF85519AF5FC48EE9A0E9F4DD8194234 .pre .codeblock} mv rui.crt orig.rui.crt mv rui.key orig.rui.key mv mgmt01esx51.key rui.key mv mgmt01esx51.cer rui.crt

    9. Run the dcui command to open the Direct Console User Interface (DCUI).

    10. Press the F2 key to access the System Customization menu.
    11. Select Troubleshooting Options and press Enter.
    12. Select Restart Management Agents and press Enter.
    13. Press F11 key to confirm the restart.

  4. Verify that the custom certificate is installed.

    1. Open a Web browser and go to https://mgmt01esx51.lax01.rainpole.local.
    2. Verify that the certificate returned by the host is signed by Rainpole instead of by VMware.

  5. Exit the maintenance mode of the host.

    1. Open a Web browser and go to https://mgmt01vc51.lax01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|[email protected]| |Password|vsphere_admin_password|

    3. From the Home menu, select Hosts and Clusters.

    4. Under the LAX01-Mgmt01 data center, right-click the mgmt01esx51.lax01.rainpole.local vCenter Server object and select Maintenance Mode > Exit Maintenance Mode.
    5. Make sure that no warning message about an untrusted mgmt01esx51.lax01.rainpole.local certificate appears.

  6. Repeat 3 to 5 for the rest of the management ESXi hosts. |ESX hosts|Managed by|Certificate file names| |:--------|:---------|:---------------------| |mgmt01esx52.lax01.rainpole.local|mgmt01vc51.lax01.rainpole.local|

    • mgmt01esx52.key

    • mgmt01esx52.cert| |mgmt01esx53.lax01.rainpole.local|mgmt01vc51.lax01.rainpole.local|

    • mgmt01esx53.key

    • mgmt01esx53.cert| |mgmt01esx54.lax01.rainpole.local|mgmt01vc51.lax01.rainpole.local|

    • mgmt01esx54.key

    • mgmt01esx54.cert| |comp01esx51.lax01.rainpole.local|comp01vc51.lax01.rainpole.local|

    • comp01esx51.key

    • comp01esx51.cert| |comp01esx52.lax01.rainpole.local|comp01vc51.lax01.rainpole.local|

    • comp01esx52.key

    • comp01esx52.cert| |comp01esx53.lax01.rainpole.local|comp01vc51.lax01.rainpole.local|

    • comp01esx53.key

    • comp01esx53.cert| |comp01esx54.lax01.rainpole.local|comp01vc51.lax01.rainpole.local|

    • comp01esx54.key

    • comp01esx54.cert|

Parent topic: Replace Certificates of the Virtual Infrastructure Components in Region B

Previous topic: Replace vCenter Server Certificates in Region B

Next topic: Replace the NSX Manager Certificates in Region B

results matching ""

    No results matching ""