Generate Manually the Key Pair and Certificate Signing Request for vSphere Data Protection in Region B

Generate a certificate signing request (CSR) for vSphere Data Protection in Region A that you can use to generate manually a certificate signed by the Microsoft CA on the dc51lax.lax01.rainpole.local AD server in Region A. Please allocate downtime for vSphere Data Protection service.By doing this vSphere Data Protection service will be down until the new certificate is installed.

About this task

You must plan for downtime of the vSphere Data Protection service. During the certificate generation and replacement the vSphere Data Protection service will be down until the new certificate is installed. When you plan the downtime, take in account the time you need to use the generated CSR file to request the CA-signed certificate.

Procedure

  1. Log in to the vSphere Data Protection appliance.

    1. Open an SSH connection to the virtual machine mgmt01vdp51.lax01.rainpole.local.
    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|root| |Password|vdp_root_password|

  2. Stop the vSphere Data Protection services by running the following command.

    {#GUID-CCEDF293-E8FF-4F75-A014-59FD5297E5E9__codeblock_7196A6EC45924F0B824D55AEF749C2E4 .pre .codeblock} emwebapp.sh --stop

  3. Delete the Tomcat alias from the certificate store.

    {#GUID-CCEDF293-E8FF-4F75-A014-59FD5297E5E9__codeblock_5CB2650CA0124806B410A75B328641CA .pre .codeblock} /usr/java/latest/bin/keytool -delete -alias tomcat

    When prompted for the keystore password, enter changeit.

  4. Generate a CSR vdpcsr.csr by running the following two commands.

    When prompted for the keystore password, enter changeit.

    ``` {#GUID-CCEDF293-E8FF-4F75-A014-59FD5297E5E9__codeblock_BCF3D05EA04049C8A1DBCA6BF7B96994 .pre .codeblock} a. /usr/java/latest/bin/keytool -genkeypair -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore /root/.keystore -storepass changeit -keypass changeit -validity 3650 -dname "CN=mgmt01vdp51.sfo01.rainpole.local, OU=rainpole.local, O=Rainpole Inc., L=Palo Alto, S=CA, C=US"

    b. /usr/java/latest/bin/keytool -certreq -keyalg RSA -alias tomcat -file vdpcsr.csr ```

  5. Copy the vdpcsr.csr file to the C:\manual-certs\vdp\mgmt01vdp51 directory on the Windows host that you use to access the data center.

What to do next

  1. Obtain a signed certificate from the Microsoft certificate authority. See Generate Manually the Key Pair and Certificate Signing Request for vSphere Data Protection in Region B.

  2. Replace the certificate on the vSphere Data Protection. See Install a Manually Generated Certificate on vSphere Data Protection in Region A.

Parent topic: Generate Manually a Key Pair and Certificate Signing Request for vSphere Data Protection in Region B

Previous topic: Enable SSH Root User Access on vSphere Data Protection Appliance in Region B

results matching ""

    No results matching ""