Generate Manually Key Pair and Certificate Signing Request for vCenter Server in Region A

If you plan to generate manually a CA-signed certificate for vCenter Server in Region A, create a Certificate Signing Request (CSR) and submit it to the certificate authority for signing.

Before you begin

Verify that the Windows that you use for access to the data center is a part of the sfo01.rainpole.local domain.

About this task

You generate a Certificate Signing Request (CSR) on the vCenter Server instances by using the vSphere Certificate Manager utility.

Procedure

1. Log in to a Windows host that has access to the data center as administrator.

2. Log in to the vCenter Server Appliance for the management cluster by using a Secure Shell (SSH) client.

   1. Open an SSH connection to the vCenter Server instance. |vCenter Server|Virtual Appliance FQDN| |:-------------|:---------------------| |Management vCenter Server|mgmt01vc01.sfo01.rainpole.local| |Compute vCenter Server|comp01vc01.sfo01.rainpole.local|

   2. Log in using the following credentials. |Setting|Value| |:------|:----| |User name|root| |Password|vcenter_server_root_password|

3. Enable the Bash shell by running the following commands.

   {#GUID-A1D4C902-1217-4AD1-BE95-09FB3C423B55__codeblock_F93E9706125F41E2A6A7265646FCC1E2 .pre .codeblock} shell

4. Create a directory to save the certificate signing request and private key to.

   {#GUID-A1D4C902-1217-4AD1-BE95-09FB3C423B55__codeblock_4B35913778E540BBABAC84B9A02F800F .pre .codeblock} mkdir /tmp/ssl

5. Start the vSphere Certificate Manager utility.

   {#GUID-A1D4C902-1217-4AD1-BE95-09FB3C423B55__codeblock_F7ACEF786D4244F3A84FD63B62886C53 .pre .codeblock} /usr/lib/vmware-vmca/bin/certificate-manager

6. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name [email protected] and the vsphere_admin_password password.

7. When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller that manages this vCenter Server instance. |vCenter Server|IP Address of Connected Platform Services Controller| |:-------------|:---------------------------------------------------| |mgmt01vc01.sfo01.rainpole.local|172.16.11.61| |comp01vc01.sfo01.rainpole.local|172.16.11.63|

8. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate), and enter /tmp/ssl for the directory to save the certificate signing request and private key to.

9. Provide the following settings to configure certool.cfg and close the vSphere Certificate Manager utility.

   |Setting|Value on the Management Platform Services Controller|Value on the Compute Platform Services Controller| |:------|:---------------------------------------------------|:------------------------------------------------| |Country|US|US| |Name|mgmt01vc01.sfo01.rainpole.local|comp01vc01.sfo01.rainpole.local| |Organization|Rainpole Inc.|Rainpole Inc.| |OrgUnit|Rainpole.local|Rainpole.local| |State|California|California| |Locality|Palo Alto|Palo Alto| |IPAddress|-|-| |Email|[email protected]|[email protected]| |Hostname|mgmt01vc01.sfo01.rainpole.local|comp01vc01.sfo01.rainpole.local|

   The utility create CSR files vmca_issued_csr.csr and vmca_issued_key.key in the /tmp/ssl folder.

10. Rename the vmca_issued_csr.csr and vmca_issued_key.key files to match the virtual machine name of the vCenter Server instance. |vCenter Server|Key and CSR File Names|Command| |:-------------|:---------------------|:------| |mgmt01vc01.sfo01.rainpole.local|- mgmt01vc01.sfo01_ssl.csr

    • mgmt01vc01.sfo01_ssl.key|mv vmca_issued_csr.csr mgmt01vc01.sfo01_ssl.csr

    mv vmca_issued_key.key mgmt01vc01.sfo01_ssl.key| |comp01vc01.sfo01.rainpole.local|- comp01vc01.sfo01_ssl.csr

    • comp01vc01.sfo01_ssl.key|mv vmca_issued_csr.csr comp01vc01.sfo01_ssl.csr

    mv vmca_issued_key.key comp01vc01.sfo01_ssl.key|

11. If you plan to generate manually a certificate for the other vCenter Server instance in Region A, repeat 2 to 10.

12. Copy the .csr file to the C:\manual-certs\vc directory on the Windows host that you use to access the vCenter Server instances and the AD server.

    |vCenter Server|Directory on the Windows host| |:-------------|:----------------------------| |Management vCenter Server|C:\manual-certs\vc\mgmt01vc01.sfo01_ssl.csr| |Compute vCenter Server|C:\manual-certs\vc\comp01vc01.sfo01_ssl.csr|

    Use the scp command, FileZilla, or WinSCP to copy the file.

What to do next

Obtain a signed certificate from the Microsoft certificate authority. See Generate CA-Signed Certificates for the SDDC Management Components in Region A .

Parent topic: Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region A