When you replace the default certificates of the SDDC management products, you can manually generate certificate files that are signed by the intermediate Certificate Authority (CA). You have set up the Certificate Authority earlier on the Active Directory server.

Prerequisites

Generate a CSR for the certificate that you want to replace. You generate the CSR on the machine where the certificate is installed.

Procedure
1

Log in to the Windows host that has access to the AD server as an administrator.

2

Submit a request and download the certificate chain that contains the CA-signed certificate and the CA certificate.

a

Open a Web Browser and go to http://dc01sfo.sfo01.rainpole.local/CertSrv/ to open the Web interface of the CA server.

b

Log in using the following credentials.

Setting

Value

User name

AD administrator

Password

ad_admin_password
c

Click the Request a certificate link.

d

Click advanced certificate request.

e

Open the CSR file .csr in a plain text editor.

f

Copy everything from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- to the clipboard. 

g

On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR file into the Saved Request box.

h

From the Certificate Template drop-down menu, select VMware and click Submit


i

On the Certificate issued screen, click Base 64 encoded.

j

Click the Download Certificate chain link and save the certificate chain file certnew.p7b to the Downloads folder.

3

Export the machine certificate to the correct format.

a

Double-click the certnew.p7b file to open it in the Microsoft Certificate Manager.

b

Navigate to certnew.p7b > Certificates and notice the three certificates.

c

Right-click the machine certificate and select All Tasks > Export.

d

In the Certificate Export Wizard, click Next.

e

Select Base-64 encoded X.509 (.CER) and click Next.

f

Browse to C:\certs and specify the certificate name in the File name text box.

g

Click Next and click Finish

The certificate file is saved to the C:\certs folder.

4

Export the intermediate CA certificate file to the correct format.

a

Double-click the certnew.p7b file to open it in the Microsoft Certificate Manager.

b

Navigate to certnew.p7b > Certificates and notice the three certificates.

c

Right-click the intermediate CA certificate and select All Tasks > Export.

d

In the Certificate Export Wizard, click Next.

e

Select Base-64 encoded X.509 (.CER) and click Next.

f

Browse to C:\certs and enter Intermediate in the File name text box. 

g

Click Next and click Finish.

The Intermediate.cer file is saved to the C:\certs folder.

5

Export the root CA certificate file in the correct format.

a

Right-click the root certificate and select All Tasks > Export.

b

In the Certificate Export Wizard, click Next.

c

Select Base-64 encoded X.509 (.CER) and click Next.

d

Browse to C:\certs and enter Root64 in the File name text box. 

e

Click Next and click Finish.

The Root64.cer file is saved to the C:\certs folder.

Previous topic: Use the Certificate Generation Utility to Generate CA-Signed Certificates for the SDDC Management Components