Replace the Default Certificate with a Custom Certificate on the ESXi Hosts in Region A

Optionally, after you obtain signed certificate for the ESXi hosts in Region A, use it to replace the default VMware Certificate Authority (VMCA) signed certificates on the hosts.

Procedure

  1. Change the certificate mode for the ESXi hosts in the management cluster.

    By default the ESXi hosts are automatically provisioned with VMCA certificates when they are connected to VC. We will change the certificate mode so VC will not push VMCA certificates on to ESXi hosts when they are added to VC.

    1. Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|[email protected]| |Password|vshpere_admin_password|

    3. In the Navigator, under Hosts and Cluster, select mgmt01vc01.sfo01.rainpole.local, and click the Configure tab.

    4. Under Settings, click Advanced Settings and click Edit.
    5. In the filter box, enter certmgmt and press Enter to display only certificate management properties.
    6. Change the value of the vpxd.certmgmt.mode property to custom and click OK.
    7. From the vSphere Web Client Home menu, select Administration, and under Deployment on the Administration page, select System Configuration.
    8. Under System Configuration, select Services, select VMware vCenter Server (mgmt01vc01.sfo01.rainpole.local ) and select Actions > Restart.

  2. If you have not replaced the certificate of the mgmt01vc01.sfo01.rainpole.local vCenter Server, add the CA root certificate to the vCenter Server TRUSTED_ROOTS store.

    If you already replaced the certificate for mgmt01vc01.sfo01.rainpole.local, you added the root certificate to the TRUSTED_ROOTS stores.

    1. Open an SSH connection to mgmt01vc01.sfo01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|root| |Password|mgmtvc_root_password|

    3. Copy the Root64.cer chain file from the Windows host that you use to access the data center to the temporary directory /tmp/ssl on the vCenter Server Appliance.

      You can use scp, FileZilla or WinSCP.

    4. Run the following command.

      {#GUID-07829245-5E54-4065-B859-28FE4875B054__codeblock_DFF641942B90446D9B1E6D9F04DE13B4 .pre .codeblock} /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store TRUSTED_ROOTS --alias RainpoleCA.crt --cert /tmp/ssl/chainRoot64.cer

  3. Replace the certificates on ESXi hosts.

    1. Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|[email protected]| |Password|vshpere_admin_password|

    3. From the Home menu of the vSphere Web Client, select Hosts and Clusters.

    4. Under the SFO01-Mgmt01 data center, right-click the mgmt01esx01.sfo01.rainpole.local vCenter Server object and select Maintenance Mode > Enter Maintenance Mode.
    5. Select Move powered-off and suspended virtual machines to other hosts in the cluster and click OK.
    6. After the maintenance task is complete, open an SSH connection to the mgmt01esx01.sfo01.rainpole.local host.
    7. Transfer mgmt01esx01.key and mgmt01esx01.1.cer from the Windows host that you use to access the data center to the /etc/vmware/ssl directory on the host.

    8. Run the following commands.

      {#GUID-07829245-5E54-4065-B859-28FE4875B054__codeblock_CF85519AF5FC48EE9A0E9F4DD8194234 .pre .codeblock} mv rui.crt orig.rui.crt mv rui.key orig.rui.key mv mgmt01esx01.key rui.key mv mgmt01esx01.1.cer rui.crt

    9. Run the dcui command to open the Direct Console User Interface (DCUI).

    10. Press the F2 key to access the System Customization menu.
    11. Select Troubleshooting Options and press Enter.
    12. Select Restart Management Agents and press Enter.
    13. Press F11 key to confirm the restart.

  4. Verify that the custom certificate is installed.

    1. Open a Web browser and go to https://mgmt01esx01.sfo01.rainpole.local.
    2. Verify that the certificate returned by the host is signed by Rainpole instead of by VMware.

  5. Exit the maintenance mode of the host.

    1. Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local.

    2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|[email protected]| |Password|vshpere_admin_password|

    3. From the Home menu, select Hosts and Clusters.

    4. Under the SFO01-Mgmt01 data center, right-click the mgmt01esx01.sfo01.rainpole.local vCenter Server object and select . Maintenance Mode > Exit Maintenance Mode
    5. Make sure that no warning message about an untrusted mgmt01esx01.sfo01.rainpole.local certificate appears.

  6. Repeat 3 to 5 for the rest of the ESXi hosts. |ESX hosts|Managed by|Certificate file names| |:--------|:---------|:---------------------| |mgmt01esx02.sfo01.rainpole.local|mgmt01vc01.sfo01.rainpole.local|- mgmt01esx02.key

    • mgmt01esx02.1.cer| |mgmt01esx03.sfo01.rainpole.local|mgmt01vc01.sfo01.rainpole.local|- mgmt01esx03.key

    • mgmt01esx03.1.cer| |mgmt01esx04.sfo01.rainpole.local|mgmt01vc01.sfo01.rainpole.local|- mgmt01esx04.key

    • mgmt01esx04.1.cer| |comp01esx01.sfo01.rainpole.local|comp01vc01.sfo01.rainpole.local|- comp01esx01.key

    • comp01esx01.1.cer| |comp01esx02.sfo01.rainpole.local|comp01vc01.sfo01.rainpole.local|- comp01esx02.key

    • comp01esx02.1.cer| |comp01esx03.sfo01.rainpole.local|comp01vc01.sfo01.rainpole.local|- comp01esx03.key

    • comp01esx03.1.cer| |comp01esx04.sfo01.rainpole.local|comp01vc01.sfo01.rainpole.local|- comp01esx04.key

    • comp01esx04.1.cer|

Parent topic: Replace Certificates of the Virtual Infrastructure Components in Region A

Previous topic: Replace the vCenter Server Certificates in Region A

Next topic: Replace the NSX Manager Certificates in Region A

results matching ""

    No results matching ""