Replace the Platform Services Controller Certificates in Region A
You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA).
About this task
Since the Platform Services Controller instances are load-balanced, the machine certificate on both instances in the region must be the same. The certificate must have a common name that is equal to the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, and the load balanced FQDN and short name must be in the Subject Alternate Name (SAN) of the generated certificate.
You must repeat this procedure twice: first on the Platform Services Controller for the Management vCenter Server, and then on the Platform Services Controller for the Compute vCenter Server.
| Platform Services Controller | Certificate File Name | Replacement Order |
|---|---|---|
| mgmt01psc01.sfo01.rainpole.local | - sfo01psc01.sfo01.key |
sfo01psc01.sfo01.3.pem (CertGenVVD)
sfo01psc01.sfo01.chain.cer (Manual)
chainRoot64.cer|First| |comp01psc01.sfo01.rainpole.local|- sfo01psc01.sfo01.key
sfo01psc01.sfo01.3.pem (CertGenVVD)
sfo01psc01.sfo01.1.chain.cer (Manual)
chainRoot64.cer|Second|
Procedure
Log in to vCenter Server by using the vSphere Web Client.
- Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
Log in using the following credentials.
Setting
Value
User name
Password
vsphere_admin_password
Disable the Platform Services Controller for the shared edge and compute cluster comp01psc01 in the load balancer to route all traffic to the Platform Services Controller for the management cluster mgmt01psc01.
- From the vSphere Web Client Home menu, select Network & Security.
- In the Navigator, select NSX Edges.
- From the NSX Manager drop-down menu, select 172.16.11.65.
- Double-click the SFO01PSC01 edge device to open its network settings.
- On the Manage tab, click the Load Balancer tab and click Pools.
- Select pool-1 and click Edit.
- Select the comp01psc01 member, click Edit, select Disable from the State drop-down menu and click OK.
- Repeat 2f and 2g to disable comp01psc01 in pool-2.
Disconnect the NSX Manager instances from the Platform Services Controller temporarily.
- Open a Web Browser and go to https://mgmt01nsxm01.sfo01.rainpole.local.
Log in using the following credentials |Setting|Value| |:------|:----| |User name|admin| |Password|nsx_manager_admin_password|
Click Manage vCenter Registration
- Click the Unconfigure button next to Lookup Service URL.
- Repeat the steps on https://comp01nsxm01.sfo01.rainpole.local.
Log in to the Platform Services Controller by using a Secure Shell (SSH) client.
- Open an SSH connection to mgmt01psc01.sfo01.rainpole.local.
Log in using the following credentials.
Setting
Value
User name
root
Password
mgmtpsc_root_password
Change the Platform Services Controller command shell to the Bash shell.
{#GUID-CB2CF5E5-FD38-426D-A04F-9811D3CDCCCF__codeblock_723EEDA170A547AB96C1F1C110D0B04F .pre .codeblock} shell chsh -s /bin/bash rootCopy the generated certificate files sfo01psc01.sfo01.key, sfo01psc01.sfo01.3.pem and chainRoot64.cer from the Windows host to the /tmp/ssl directory on the Platform Services Controller.
Use scp, FileZilla or WinSCP to copy the files.
Rename sfo01psc01.sfo01.3.pem to sfo01psc01.sfo01.1.chain.cer.
Add the root certificate to the VMware Endpoint Certificate Store as a trusted root certificate using the following command.
Enter the vCenter Single Sign-On password when prompted.
{#GUID-CB2CF5E5-FD38-426D-A04F-9811D3CDCCCF__codeblock_5851B1F9FECA410A900BC5E3613B99D5 .pre .codeblock} /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ssl/chainRoot64.cerReplace the certificate on the Platform Services Controller.
Start the vSphere Certificate Manager utility on the Platform Services Controller.
{#GUID-CB2CF5E5-FD38-426D-A04F-9811D3CDCCCF__codeblock_B7BA7CF4880D4ED19C91355D7C48BCE4 .pre .codeblock} /usr/lib/vmware-vmca/bin/certificate-managerSelect Option 1 (Replace Machine SSL certificate with Custom Certificate).
- Enter the default vCenter Single Sign-On user name [email protected] and the vsphere_admin_password password.
- Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
- When prompted for the custom certificate, enter /tmp/ssl/sfo01psc01.sfo01.1.chain.cer.
- When prompted for the custom key, enter /tmp/ssl/sfo01psc01.sfo01.key.
- When prompted for the signing certificate, enter /tmp/ssl/ChainRoot64.cer.
When prompted to continue the operation, enter Y.
Wait until the Platform Services Controller services restart successfully.
Validate that the new certificate has been installed successfully.
- Open a Web Browser and go to https://mgmt01psc01.sfo01.rainpole.local.
- Verify that the Web browser shows the new certificate.
Restart VAMI service to update certificates for the appliance management interface.
- Go back to the mgmt01psco1.sfo01.rainpole.local SSH terminal.
Enter the following command to update certificates for the appliance management interface.
{#GUID-CB2CF5E5-FD38-426D-A04F-9811D3CDCCCF__codeblock_D950154980654197AFAC3A20DB98DF80 .pre .codeblock} /etc/init.d/vami-lighttp restart
Switch the shell back to the appliance shell.
{#GUID-CB2CF5E5-FD38-426D-A04F-9811D3CDCCCF__codeblock_8C70623A322A492CAECEF2727A8817B6 .pre .codeblock} chsh -s /bin/appliancesh rootRepeat 4 to 11 to replace the certificate on comp01psc01.sfo01.rainpole.local.
Restart the services on the Management vCenter Server.
- Open an SSH connection to mgmt01vc01.sfo01.rainpole.local.
Log in using the following credentials. |Setting|Values| |:------|:-----| |User name|root| |Password|mgmtvc_root_password|
Switch from the vCenter Server Appliance command shell to the Bash shell.
{#GUID-CB2CF5E5-FD38-426D-A04F-9811D3CDCCCF__codeblock_3EB7EE787F33426BB0AF1ABA3CB9439A .pre .codeblock} shellRestart vCenter Server services by using the following command.
{#GUID-CB2CF5E5-FD38-426D-A04F-9811D3CDCCCF__codeblock_5706560EA690485EAD25B73AE00A8B79 .pre .codeblock} service-control --stop --all service-control --start --all
Restore the load balancer configuration.
- Open a Web browser and go to https://mgm01vc01.sfo01.rainpole.local/vsphere-client.
Log in using the following credentials. |Setting|Value| |:------|:----| |User name|[email protected]| |Password|vsphere_admin_password|
From the vSphere Web Client Home menu, select Network & Security.
- In the Navigator, select NSX Edges.
- From the NSX Manager drop-down menu, select 172.16.11.65.
- Double-click the SFO01PSC01 edge device to open its network settings.
- On the Manage tab, click the Load Balancer tab and click Pools.
- Select pool-1 and click Edit.
- Select the comp01psc01 member, click Edit, select Enabled from the State drop-down menu and click OK.
- Repeat 15h and 15i to enable comp01psc01 in pool-2.
Repeat 14 to restart the services on the Compute vCenter Server comp01vc01.sfo01.rainpole.local in Region A and on the vCenter Server instances mgmt01vc51.lax01.rainpole.local and comp01vc51.lax01.rainpole.local in Region B.
What to do next
If you replace only the certificate of the Platform Services Controller instances, reconnect the NSX Managers to the Platform Services Controller load balancer and to vCenter Server after you install the custom certificates on the nodes. See Connect NSX Manager to the Management vCenter Server in Region A.
If you replace the certificates of vCenter Server after those of the Platform Services Controllers, see Replace the vCenter Server Certificate Files in Region A.
Parent topic: Replace Certificates of the Virtual Infrastructure Components in Region A
Next topic: Replace the vCenter Server Certificates in Region A