Generate CA-Signed Certificates for the SDDC Management Components in Region A

When you replace the default certificates of the SDDC management products, you can manually generate certificate files that are signed by the intermediate Certificate Authority (CA).

Before you begin

Procedure

  1. Log in to the Windows host that has access to the AD server as an administrator.

  2. Submit a request and download the certificate chain that contains the CA-signed certificate and the CA certificate.

    1. Open a Web Browser and go to http://dc01sfo.sfo01.rainpole.local/CertSrv/ to open the Web interface of the CA server.

    2. Log in using the following credentials.

      Setting

      Value

      User name

      AD administrator

      Password

      ad_admin_password

    3. Click the Request a certificate link.

    4. Click advanced certificate request.
    5. Open the CSR file .csr in a plain text editor.
    6. Copy everything from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- to the clipboard.
    7. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR file into the Saved Request box.
    8. From the Certificate Template drop-down menu, select VMware and click Submit.
    9. On the Certificate issued screen, click Base 64 encoded.
    10. Click the Download Certificate chain link and save the certificate chain file certnew.p7b to the Downloads folder.

  3. Export the machine certificate to the correct format.

    1. Double-click the certnew.p7b file to open it in the Microsoft Certificate Manager.
    2. Navigate to certnew.p7b > Certificates and notice the three certificates.
    3. Right-click the machine certificate and select All Tasks > Export.
    4. In the Certificate Export Wizard, click Next.
    5. Select Base-64 encoded X.509 (.CER) and click Next.
    6. Browse to C:\certs and specify the certificate name in the File name text box.

    7. Click Next and click Finish.

      The certificate file is saved to the C:\certs folder.

  4. Export the intermediate CA certificate file to the correct format.

    1. Double-click the certnew.p7b file to open it in the Microsoft Certificate Manager.
    2. Navigate to certnew.p7b > Certificates and notice the three certificates.
    3. Right-click the intermediate CA certificate and select All Tasks > Export.
    4. In the Certificate Export Wizard, click Next.
    5. Select Base-64 encoded X.509 (.CER) and click Next.
    6. Browse to C:\certs and enter Intermediate in the File name text box.

    7. Click Next and click Finish.

      The Intermediate.cer file is saved to the C:\certs folder.

  5. Export the root CA certificate file in the correct format.

    1. Right-click the root certificate and select All Tasks > Export.
    2. In the Certificate Export Wizard, click Next.
    3. Select Base-64 encoded X.509 (.CER) and click Next.
    4. Browse to C:\certs and enter Root64 in the File name text box.

    5. Click Next and click Finish.

      The Root64.cer file is saved to the C:\certs folder.

  6. Move the certificate file to the following C:\manual-certs\component folder under the following file names.

    Management Component

    Target Folder

    Certificate File Names

    ESXi hosts for the management cluster

    C:\manual-certs\mgmt01esx.sfo01

    mgmt01esx01.cer

    mgmt01esx02.cer

    mgmt01esx03.cer

    mgmt01esx04.cer

    ESXi hosts for the management cluster

    C:\manual-certs\comp01esx.sfo01

    comp01esx01.cer

    comp01esx02.cer

    comp01esx03.cer

    comp01esx04.cer

    Platform Services Controller for the management cluster

    C:\manual-certs\sfo01psc01.sfo01

    sfo01psc01.sfo01.cer

    vCenter Server for the management cluster

    C:\manual-certs\mgmt01vc01.sfo01

    mgmt01vc01.sfo01.cer

    NSX Manager for the management cluster

    C:\manual-certs\mgmt01nsxm01.sfo01

    mgmt01nsxm01.sfo01.cer

    Platform Services Controller for the shared edge and compute cluster

    -

    -

    vCenter Server for the shared edge and compute cluster

    C:\manual-certs\comp01vc01.sfo01

    comp01vc01.sfo01.cer

    NSX Manager for the shared edge and compute cluster

    C:\manual-certs\comp01nsxm01.sfo01

    comp01nsxm01.sfo01.cer

    vSphere Data Protection

    C:\manual-certs\mgmt01vdp01.sfo01

    vdp.p7b

    Site Recovery Manager

    -

    -

    vSphere Replication

    -

    -

    vRealize Automation

    C:\manual-certs\vRA

    vra.cer

    vRealize Orchestrator

    C:\manual-certs\vRO

    vro.cer

    vRealize Business

    C:\manual-certs\vRB

    vrb.cer

    vRealize Operations Manager

    C:\manual-certs\vrops-forVVD4.0

    vrops-forVVD4.cer

    vRealize Log Insight

    C:\manual-certs\vrli.sfo01

    vrli.sfo01.cer

  7. Generate a certificate chain file.

    1. Navigate to the directory C:\manual-certs\component.

    2. For each management component, run the following command to create the certificate chain file.

      |Management Component|Certificate Chain File Name| |:-------------------|:--------------------------| |Platform Services Controller for the management cluster|sfo01psc01.sfo01.chain.cer| |vCenter Server for the management cluster|mgmt01vc01.sfo01.chain.cer| |NSX Manager for the management cluster|mgmt01nsxm01.sfo01.chain.cer| |Platform Services Controller for the shared edge and compute cluster|Not applicable| |vCenter Server for the shared edge and compute cluster|comp01vc01.sfo01.chain.cer| |NSX Manager for the shared edge and compute cluster|comp01nsxm01.sfo01.chain.cer| |vSphere Data Protection|Not applicable| |Site Recovery Manager|Not applicable| |vSphere Replication|Not applicable| |vRealize Automation|vra.chain.cer| |vRealize Orchestrator|vro.chain.cer| |vRealize Business|vrb.chain.cer| |vRealize Operations Manager|Not applicable| |vRealize Log Insight|vrli-sfo01.chain.cer|

      ``` {#GUID-BB614D41-1EF4-4701-A480-6327C93510D1__codeblock_8F1151EFF67F4A259B87CD7EB82A83ED .pre .codeblock} copy own-certificate-file+Intermediate.cer+Root64.cer component-chain-file

      
For example, run the following command to generate a certificate chain file for the NSX Manager for the management cluster.

``` {#GUID-BB614D41-1EF4-4701-A480-6327C93510D1__codeblock_C1FF4FE9CE0C4260A01268CC51EC3EEC .pre .codeblock}
copy mgmt01nsxm01.sfo01.cer+Intermediate.cer+Root64.cer mgmt01nsxm01.sfo01.chain.cer

  8. Repeat the procedure to generate signed certificates for the other products.

  9. For each vCenter Server instance, create a certificate chain file CACert.chain.cer that contains the certificates of the root and intermediate CA in the vCenter Server specific folder.

    |vCenter Server|Folder| |:-------------|:-----| |Management vCenter Server|C:\manual-certs\mgmt01vc01.sfo01| |Compute vCenter Server|C:\manual-certs\comp01vc01.sfo01|

    {#GUID-BB614D41-1EF4-4701-A480-6327C93510D1__codeblock_0ADAB36F14FD4CA58D41B60D27BBE740 .pre .codeblock} copy Intermediate.cer+Root64.cer CACert.chain.cer

  10. Generate a .pem file that contains the key file and the signer and owner certificates.

    1. Copy the CACert.chain.cer file to the following folders.

      • C:\manual-certs\vrops-forVVD4.0\

      • C:\manual-certs\vrli.sfo01

      • C:\manual-certs\vRA

      • C:\manual-certs\vRO

      • C:\manual-certs\vRB

    2. Generate a vrops01-chain.pem file that contains the host certificate with intermediate and root certificates and the own private key.

      {#GUID-BB614D41-1EF4-4701-A480-6327C93510D1__codeblock_67A6167645E64037B1BC88AE098B0EDB .pre .codeblock} cd C:\manual-certs\vrops-forVVD4.0\ copy vrops-forVVD4.cer+CACert.chain.cer+vrops-forVVD4.key > vrops01-chain.pem

    3. Repeat the step in the following folders.

      • C:\manual-certs\vrli.sfo01

      • C:\manual-certs\vRA

      • C:\manual-certs\vRO

      • C:\manual-certs\vRB

Parent topic: Region A Certificate Replacement

results matching ""

    No results matching ""