You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA) available on the parent Active Directory (AD) server.

You must repeat this procedure twice: first on the Platform Services Controller for the Management vCenter Server (mgmt01psc01.sfo01.rainpole.local), and then on the Platform Services Controller for the Compute vCenter Server (comp01psc01.sfo01.rainpole.local).

Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate File Name

Replacement Order

mgmt01psc01.sfo01.rainpole.local

sfo01psc01.sfo01.1.cer

sfo01psc01.sfo01.key

root64.cer

First

comp01psc01.sfo01.rainpole.local

sfo01psc01.sfo01.1.cer

sfo01psc01.sfo01.key

root64.cer

Second

1

Change the Platform Services Controller command shell to the Bash shell to allow secure copy (scp) connections.

a

SSH to mgmt01psc01.sfo01.rainpole.local and login using the following credentials.

Setting

Value

Username

root

Password

mgmtpsc_root_password

b

Enter shell and press Enter.

c

Run the command chsh -s "/bin/bash" root.

2

Copy the generated certs to the Platform Services Controller.

a

Use the scp command to copy the contents of the folder C:\CertGenVVD\SignedByMCSACerts\sfo01psc01.sfo01 to the folder /tmp/certs.

b

Use the scp command to copy the Root64.cer file from the folder C:\CertGenVVD\SignedByMCSACerts\RootCA to the folder/tmp/certs.

3

Replace the certificate on the Platform Services Controller.

a

Start the vSphere Certificate Manager utility on the Platform Services Controller.

/usr/lib/vmware-vmca/bin/certificate-manager
b

Select Option 1 (Replace Machine SSL certificate with Custom Certificate).

c

Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin password.

d

Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).

e

When prompted for the custom certificate enter /tmp/certs/sfo01psc01.sfo01.1.cer.

f

When prompted for the custom key enter /tmp/certs/sfo01psc01.sfo01.key.

g

When prompted for the signing certificate enter /tmp/certs/Root64.cer.

h

When prompted to Continue operation enter Y.

i

The Platform Services Controller services will restart automatically.

4

Repeat steps 3 thru Step 5 to replace the certificate on comp01psc01.sfo01.rainpole.local.