Use the Certificate Generation Utility to Generate CA-Signed Certificates for the SDDC Management Components in Region A
Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates that are signed by the Microsoft certificate authority (MSCA) for all management product with a single operation.
Before you begin
- If you use an intermediate CA such as sfo01.rainpole.local, make the Windows host that you use to connect to the data center a part of the sfo01.rainpole.local domain.
About this task
For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215.
Procedure
- Log in to a Windows host that has access to your data center.
- Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
- In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
Verify that following properties are configured.
{#GUID-B1CBC596-286D-4374-AB42-B7B822418D64__codeblock_0E97CE81BAEC4F5E9FBB5DDC2E55DD86 .pre .codeblock} ORG=Rainpole Inc. OU=Rainpole.local LOC=SFO ST=CA CC=US CN=VMware_VVD keysize=2048Verify that only the C:\CertGenVVD-version\ConfigFiles folder contains only following files.
comp01esx01.sfo01.txt
comp01esx02.sfo01.txt
comp01esx03.sfo01.txt
comp01esx04.sfo01.txt
comp01nsxm01.sfo01.txt
comp01vc01.sfo01.txt
mgmt01nsxm01.sfo01.txt
sfo01psc01.sfo01.txt
mgmt01esx01.sfo01.txt
mgmt01esx02.sfo01.txt
mgmt01esx03.sfo01.txt
mgmt01esx04.sfo01.txt
mgmt01srm01.sfo01.txt
mgmt01vc01.sfo01.txt
mgmt01vdp01.sfo01.txt
mgmt01vrms01.sfo01.txt
vra.txt
vrb.txt
vrli.sfo01.txt
vro.txt
vrops-forVVD4.0.txt
If sfo01psc01.sfo01.txt does not exist, create it so that you can generate certificates for the Platform Services Controllers that are behind a load balancer in Region A.
- Make a copy of mgmt01vc01.sfo01.txt and save it as sfo01psc01.sfo01.txt.
- Open the copied file in a text editor, and verify that the following properties are configured.
|sfo01psc01.sfo01.txt|
|:-------------------|
|
{#GUID-B1CBC596-286D-4374-AB42-B7B822418D64__codeblock_412411D4E882425C91B902A6D6962094 .pre .codeblock} [CERT] NAME=default ORG=default OU=default LOC=SFO ST=default CC=default CN=sfo01psc01.sfo01.rainpole.local keysize=default [SAN] comp01psc01 mgmt01psc01 comp01psc01.sfo01.rainpole.local mgmt01psc01.sfo01.rainpole.local sfo01psc01 sfo01psc01.sfo01.rainpole.local|
Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
For example, of you use CertGenVVD 2.1, navigate to the following folder:
{#GUID-B1CBC596-286D-4374-AB42-B7B822418D64__codeblock_76058974950A44B3A5B80067ACFA28F1 .pre .codeblock} cd C:\CertGenVVD-2.1Run the following command to grant PowerShell permissions to run third-party shell scripts.
{#GUID-B1CBC596-286D-4374-AB42-B7B822418D64__codeblock_9BD90D88B8CE477DB773FEC23B6B5B6C .pre .codeblock} Set-ExecutionPolicy UnrestrictedRun the following command to validate prerequisites for running the utility.
Verify that VMware is included in the available CA Template Policy.
{#GUID-B1CBC596-286D-4374-AB42-B7B822418D64__codeblock_635240B8EFFA4F3B84CA0A8CFE3E212F .pre .codeblock} .\CertgenVVD-2.1.ps1 -validateRun the following command to generate MSCA-signed certificates.
{#GUID-B1CBC596-286D-4374-AB42-B7B822418D64__codeblock_AB884143A0DB4F52A4764976CFAD6536 .pre .codeblock} .\CertGenVVD-2.1.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'In the c:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts sub-folder.
What to do next
Replace the product certificates with the certificates that the CertGenVVD utility has generated. See Replace Certificates of the Management Products in Region A.
Parent topic: Use the Certificate Generation Utility to Generate Certificates Automatically in Region A
Next topic: Additional Configuration for Intermediate Certificate Authority in Region A