The first step is replacing the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA) available on the parent Active Directory (AD) server.

Since the Platform Services Controllers will be load balanced the machine certificate on both must be the same. The certificate will have a common name of the load balanced Fully Qualified Domain Name (FQDN) and each Platform Service Controllers FQDN and short name along with the load balanced FQDN and short name must be in the Subject Alternate Name (SAN) of the generated certificate.

You replace certificates twice: on the Platform Services Controller for the Management vCenter Server mgmt01psc51.lax01.rainpole.local and on the Platform Services Controller for the Compute vCenter Server comp01psc51.lax01.rainpole.local. You start replacing certificates on Platform Services Controller mgmt01psc51.lax01.rainpole.local first. 

Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Config File Name

Certificate File Name

Replacement Order

mgmt01psc51.lax01.rainpole.local

lax01psc51.lax01.txt

lax01psc51.lax01.1.cer

First

comp01psc51.lax01.rainpole.local

-

lax01psc51.lax01.1.cer

Second

1

Log in to a Windows host that has access to both the AD server and the Platform Services Controllers as an administrator.

2

Generate the certificate for the Platform Services Controllers if you have not done so already.

a

Download the VMware Validated Design Certificate Generation Utility from KB2146215.

b

Extract the contents of the zip file to C:\CertGenVVD-2.1.

c

Open a Windows PowerShell prompt as an administrator and navigate to the C:\CertGenVVD-2.1.

d

Run Set-ExecutionPolicy RemoteSigned.

e

Run the following command to generate the certificate for the Platform Services Controller.

.\CertGenVVD-2.1.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
f

The certificate and supporting files will be saved in C:\CertGenVVD\SignedByMSCACerts folder.

3

Change the Platform Services Controller shell to bash to allow SCP connections.

a

SSH to mgmt01psc51.lax01.rainpole.local and logon with the following credentials.

Option
Description

Setting

Value

Username

Root

Password

mgmtpsc_root_password

b

Enter shell and press Enter.

c

Run the command chsh -s "/bin/bash" root.

4

Copy the generated certificates to the Platform Services Controllers.

a

SCP the contents of the C:\CertGenVVD-2.1\SignedByMSCACerts\lax01psc51.lax01 folder to /tmp/certs.

b

SCP the Root64.cer file from C:\CertGenVVD-2.1\SignedByMSCACerts\RootCA to /tmp/certs .

5

Replace the certificate on the Platform Services Controller.

a

Start the vSphere Certificate Manager utility on the Platform Services Controller.

/usr/lib/vmware-vmca/bin/certificate-manager

b

Select Option 1 (Replace Machine SSL certificate with Custom Certificate)

c

Enter default vCenter Single Sign-On user name administrator@vsphere.local and  the vsphere_admin password.

d

Select  Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).

e

When prompted for the custom certificate enter /tmp/certs/lax01psc51.lax01.1.cer.

f

When prompted for the custom key enter /tmp/certs/lax01psc51.lax01.key.

g

When prompted for the signing certificate enter /tmp/certs/Root64.cer.

h

When prompted to Continue operation enter Y.


i

The Platform Services Controller services will restart automatically.

6

Replace the certificate on comp01psc51.lax01.rainpole.local by repeating steps 3-5.