Replace the Platform Services Controller Certificates in Region B
You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA).
About this task
Since the Platform Services Controller instances are load-balanced, the machine certificate on both instances in the region must be the same. The certificate must have a common name that is equal to the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, and the load balanced FQDN and short name must be in the Subject Alternate Name (SAN) of the generated certificate.
You must repeat this procedure twice: first on the Platform Services Controller for the Management vCenter Server, and then on the Platform Services Controller for the Compute vCenter Server.
| Platform Services Controller | Certificate File Name | Replacement Order |
|---|---|---|
| mgmt01psc51.lax01.rainpole.local | - lax01psc51.lax01.key |
lax01psc51.lax01.3.pem (CertGenVVD)
lax01psc51.lax01.1.chain.cer (Manual)
chainRoot64.cer|First| |comp01psc51.lax01.rainpole.local|- lax01psc51.lax01.key
lax01psc51.lax01.3.pem (CertGenVVD)
lax01psc51.lax01.1.chain.cer (Manual)
chainRoot64.cer|Second|
Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
- Open a Web browser and go to https://mgmt01vc51.lax01.rainpole.local/vsphere-client.
Log in using the following credentials.
Setting
Value
User name
Password
vsphere_admin_password
Disable the Platform Services Controller for the shared edge and compute cluster comp01psc51 in the load balancer to route all traffic to the Platform Services Controller for the management cluster mgmt01psc51.
- From the vSphere Web Client Home menu, select Network & Security.
- In the Navigator, select NSX Edges.
- From the NSX Manager drop-down menu, select 172.17.11.65.
- Double-click the LAX01PSC51 edge device to open its network settings.
- On the Manage tab, click the Load Balancer tab and click Pools.
- Select pool-1 and click Edit.
- Select the comp01psc51 member, click Edit, select Disable from the State drop-down menu and click OK.
- Repeat 2f and 2g to disable comp01psc51 in pool-2.
Disconnect the NSX Manager instances from the Platform Services Controller temporarily.
- Open a Web Browser and go to https://mgmt01nsxm51.lax01.rainpole.local.
Log in using the following credentials |Setting|Value| |:------|:----| |User name|admin| |Password|nsx_manager_admin_password|
Click Manage vCenter Registration
- Click the Unconfigure button next to Lookup Service URL.
- Repeat the steps on https://comp01nsxm51.sfo01.rainpole.local.
Log in to the Platform Services Contorller by using a Secure Shell (SSH) client.
- Open an SSH connection to mgmt01psc51.lax01.rainpole.local.
Log in using the following credentials.
Setting
Value
Username
root
Password
mgmtpsc_root_password
Change the Platform Services Controller command shell to the Bash shell so that you can use secure copy scp connections.
{#GUID-B25CDFA2-F010-4BCA-9B0D-AF5C35B5C8A7__codeblock_723EEDA170A547AB96C1F1C110D0B04F .pre .codeblock} shell chsh -s /bin/bash rootCopy the generated certificate files lax01psc51.lax01.key, lax01psc51.lax01.3.pem and chainRoot64.cer from the Windows host to the /tmp/ssl directory on the Platform Services Controller.
Use scp, FileZilla or WinSCP to copy the files.
Rename lax01psc51.lax01.3.pem to lax01psc51.lax01.1.chain.cer.
Add the root certificate to the VMware Endpoint Certificate Store as a trusted root certificate using following command.
Enter the vCenter Single Sign-On password when prompted.
{#GUID-B25CDFA2-F010-4BCA-9B0D-AF5C35B5C8A7__codeblock_3EBF6B20BB0F45CB8FF8B9A2ACF3E707 .pre .codeblock} /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ssl/chainRoot64.cerReplace the certificate on the Platform Services Controller.
Start the vSphere Certificate Manager utility on the Platform Services Controller.
{#GUID-B25CDFA2-F010-4BCA-9B0D-AF5C35B5C8A7__codeblock_3E4C0F4D4B424A0288528B3A0C529006 .pre .codeblock} /usr/lib/vmware-vmca/bin/certificate-managerSelect Option 1 (Replace Machine SSL certificate with Custom Certificate)
- Enter default vCenter Single Sign-On user name [email protected] and the vsphere_admin_password password.
- Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
- When prompted for the custom certificate, enter /tmp/ssl/lax01psc51.lax01.1.chain.cer.
- When prompted for the custom key, enter /tmp/ssl/lax01psc51.lax01.key.
- When prompted for the signing certificate, enter /tmp/ssl/chainRoot64.cer.
When prompted to continue operation, enter Y.
Wait until the Platform Services Controller services restart successfully.
Validate that the new certificate has been installed successfully.
- Open a Web Browser and go to https://mgmt01psc51.lax01.rainpole.local.
- Verify that the Web browser shows the new certificate.
Restart the VAMI service to update certificate for the appliance management interface.
- Go back to the mgmt01psc51.lax01.rainpole.local SSH terminal.
Enter the following command to update certificate for the appliance management interface.
{#GUID-B25CDFA2-F010-4BCA-9B0D-AF5C35B5C8A7__codeblock_E6DC682388324ACD98B03A2C62CDB334 .pre .codeblock} /etc/init.d/vami-lighttp restart
Switch the shell back to the appliance shell.
{#GUID-B25CDFA2-F010-4BCA-9B0D-AF5C35B5C8A7__codeblock_8C70623A322A492CAECEF2727A8817B6 .pre .codeblock} chsh -s /bin/appliancesh rootRepeat 4 to 11 to replace the certificate on comp01psc51.lax01.rainpole.local.
Restart the services on the Management vCenter Server.
- Open an SSH connection to mgmt01vc51.lax01.rainpole.local.
Log in using the following credentials.
|Setting|Values| |:------|:-----| |Username|root| |Password|mgmtvc_root_password|
Switch from appliance shell to the Bash shell.
{#GUID-B25CDFA2-F010-4BCA-9B0D-AF5C35B5C8A7__codeblock_834AA24F17D94E399209628FBAE7D46B .pre .codeblock} shellRestart vCenter Server services by using the following command.
{#GUID-B25CDFA2-F010-4BCA-9B0D-AF5C35B5C8A7__codeblock_2CD0B4D757B249E58A151B74E671630C .pre .codeblock} service-control --stop --all service-control --start --all
Restore load balancer configuration.
- Open a Web Browser and go to https://mgmt01vc51.lax01.rainpole.local/vsphere-client.
Log in using the following credentials
|Setting|Values| |:------|:-----| |Username|[email protected]| |Password|vsphere_admin_password|
From the vSphere Web Client Home menu, select Network & Security.
- In the Navigator, select NSX Edges.
- Select 172.17.11.65 from the NSX Manager drop-down menu.
- Double-click the LAX01PSC51 edge device to open its network settings.
- On the Manage tab, click the Load Balancer tab and click Pools.
- Select pool-1 and click Edit.
- Select the comp01psc51 member, click Edit, select Enabled from the State drop-down menu, and click OK.
- Repeat 15h and 15i to enable comp01psc51 in pool-2.
Repeat 15 to restart the services on the Compute vCenter Server comp01vc51.lax01.rainpole.local in Region B and on the vCenter Server instances mgmt01vc01.sfo01.rainpole.local and comp01vc01.sfo01.rainpole.local in Region A.
What to do next
If you replace only the certificate of the Platform Services Controller instances, reconnect the NSX Managers to the Platform Services Controller load balancer and to vCenter Server after you install the custom certificates on the nodes. See Connect NSX Manager to the Management vCenter Server in Region B.
If you replace the certificates of vCenter Server after those of the Platform Services Controllers, see Replace vCenter Server Certificates in Region B.
Parent topic: Replace Certificates of the Virtual Infrastructure Components in Region B
Next topic: Replace vCenter Server Certificates in Region B