Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates that are signed by the Microsoft certificate authority (MSCA) for all management product with a single operation.

For complete information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215.

1

Log in to a Windows Server 2012 host that has access to the data center as AD administrator and is part of rainpole.local domain.

2

Download and extract the Certificate Generation Utility from VMware Knowledge Base article 2146215.

a

Open the VMware Knowledge Base article in a Web browser.

b

Extract CertGenVVD-version.zip to the C: drive.

3

In the c:\CertGenVVD-version folder, open the default.txt file in a text editor.

4

Verify that following properties are configured.

ORG=Rainpole Inc.
OU=Rainpole.local
LOC=SFO
ST=CA
CC=US
CN=VMware_VVD
keysize=2048
5

Verify that only the following files are available in the c:\CertGenVVD-version\ConfigFiles folder.

comp01nsxm01.sfo01.txt

comp01nsxm51.lax01.txt

comp01vc01.sfo01.txt

comp01vc51.lax01.txt

mgmt01nsxm01.sfo01.txt

mgmt01nsxm51.lax01.txt

sfo01psc01.sfo01.txt

lax01psc51.lax01.txt

mgmt01srm01.sfo01.txt

mgmt01srm51.lax01.txt

mgmt01vc01.sfo01.txt

mgmt01vc51.lax01.txt

mgmt01vdp01.sfo01.txt

mgmt01vdp51.lax01.txt

mgmt01vrms01.sfo01.txt

mgmt01vrms51.lax01.txt

vra.txt

vrb.txt

vrli.lax01.txt

vrli.sfo01.txt

vro.txt

vrops.txt

6

If sfo01psc01.sfo01.txt or lax01psc51.lax01.txt does not exist, make a copy of mgmt01vc01.sfo01.txt and save it as sfo01psc01.sfo01.txt or lax01psc51.lax01.txt.

7

Open the copied file in a text editor, and verify that the following properties are configured.

sfo01psc01.sfo01.txt

lax01psc51.lax01.txt

[CERT] 
NAME=default
ORG=default 
OU=default
LOC=SFO
ST=default
CC=default
CN=sfo01psc01.sfo01.rainpole.local
keysize=default
[SAN]
comp01psc01
mgmt01psc01
comp01psc01.sfo01.rainpole.local
mgmt01psc01.sfo01.rainpole.local
sfo01psc01
sfo01psc01.sfo01.rainpole.local
[CERT] 
NAME=default
ORG=default 
OU=default
LOC=LAX
ST=default
CC=default
CN=lax01psc51.lax01.rainpole.local
keysize=default
[SAN]
comp01psc51
mgmt01psc51
comp01psc51.lax01.rainpole.local
mgmt01psc51.lax01.rainpole.local
lax01psc51
lax01psc51.lax01.rainpole.local
8

Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.

For example, run the following command if you use version 2.1 of the Certificate Generation Utility.

cd c:\CertGenVVD-2.1
9

Run the following command to grant PowerShell permissions to run third -party shell scripts.

Set-ExecutionPolicy RemoteSigned
10

Run the following command to validate prerequisites for running the utility.

Verify that VMware is included in the available CA Template Policy.

.\CertgenVVD-2.1.ps1 -validate
11

Run the following command to generate MSCA-signed certificates.

.\CertGenVVD-2.1.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
12

In the c:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts sub-folder.

Replace the default product certificates with the certificates that the CertGenVVD utility has generated at deployment time or later if a certificate expires.