You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA).

About this task

Since the Platform Services Controller instances are load-balanced, the machine certificate on both instances in the region must be the same. The certificate must have a common name that is equal to the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, and the load balanced FQDN and short name must be in the Subject Alternate Name (SAN) of the generated certificate.

You must repeat this procedure twice: first on the Platform Services Controller for the Management vCenter Server, and then on the Platform Services Controller for the Compute vCenter Server.

Table 1. Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate File Name

Replacement Order

mgmt01psc01.sfo01.rainpole.local

  • sfo01psc01.sfo01.key

  • sfo01psc01.sfo01.3.pem (CertGenVVD)

  • sfo01psc01.sfo01.chain.cer (Manual)

  • chainRoot64.cer

First

comp01psc01.sfo01.rainpole.local

  • sfo01psc01.sfo01.key

  • sfo01psc01.sfo01.3.pem (CertGenVVD)

  • sfo01psc01.sfo01.1.chain.cer (Manual)

  • chainRoot64.cer

Second

Procedure

  1. Log in to vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

  2. Disable the Platform Services Controller for the shared edge and compute cluster comp01psc01 in the load balancer to route all traffic to the Platform Services Controller for the management cluster mgmt01psc01.
    1. From the vSphere Web Client Home menu, select Network & Security.
    2. In the Navigator, select NSX Edges.
    3. From the NSX Manager drop-down menu, select 172.16.11.65.
    4. Double-click the SFO01PSC01 edge device to open its network settings.
    5. On the Manage tab, click the Load Balancer tab and click Pools.
    6. Select pool-1 and click Edit.




    7. Select the comp01psc01 member, click Edit, select Disable from the State drop-down menu and click OK.
    8. Repeat Step f and Step g to disable comp01psc01 in pool-2.
  3. Disconnect the NSX Manager instances from the Platform Services Controller temporarily.
    1. Open a Web Browser and go to https://mgmt01nsxm01.sfo01.rainpole.local.
    2. Log in using the following credentials

      Setting

      Value

      User name

      admin

      Password

      nsx_manager_admin_password

    3. Click Manage vCenter Registration
    4. Click the Unconfigure button next to Lookup Service URL.
    5. Repeat the steps on https://comp01nsxm01.sfo01.rainpole.local.
  4. Log in to the Platform Services Controller by using a Secure Shell (SSH) client.
    1. Open an SSH connection to mgmt01psc01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      mgmtpsc_root_password

  5. Change the Platform Services Controller command shell to the Bash shell.
    shell
    chsh -s /bin/bash root
  6. Copy the generated certificate files sfo01psc01.sfo01.key, sfo01psc01.sfo01.3.pem and chainRoot64.cer from the Windows host to the /tmp/ssl directory on the Platform Services Controller.

    Use scp, FileZilla or WinSCP to copy the files.

  7. Rename sfo01psc01.sfo01.3.pem to sfo01psc01.sfo01.1.chain.cer.
  8. Add the root certificate to the VMware Endpoint Certificate Store as a trusted root certificate using the following command.

    Enter the vCenter Single Sign-On password when prompted.

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ssl/chainRoot64.cer
  9. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
    3. Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin_password password.
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /tmp/ssl/sfo01psc01.sfo01.1.chain.cer.
    6. When prompted for the custom key, enter /tmp/ssl/sfo01psc01.sfo01.key.
    7. When prompted for the signing certificate, enter /tmp/ssl/ChainRoot64.cer.
    8. When prompted to continue the operation, enter Y.

      Wait until the Platform Services Controller services restart successfully.

  10. Validate that the new certificate has been installed successfully.
    1. Open a Web Browser and go to https://mgmt01psc01.sfo01.rainpole.local.
    2. Verify that the Web browser shows the new certificate.
  11. Restart VAMI service to update certificates for the appliance management interface.
    1. Go back to the mgmt01psco1.sfo01.rainpole.local SSH terminal.
    2. Enter the following command to update certificates for the appliance management interface.
      /etc/init.d/vami-lighttp restart
  12. Switch the shell back to the appliance shell.
    chsh -s /bin/appliancesh root
  13. Repeat Step 4 to Step 11 to replace the certificate on comp01psc01.sfo01.rainpole.local.
  14. Restart the services on the Management vCenter Server.
    1. Open an SSH connection to mgmt01vc01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Values

      User name

      root

      Password

      mgmtvc_root_password

    3. Switch from the vCenter Server Appliance command shell to the Bash shell.
      shell
    4. Restart vCenter Server services by using the following command.
      service-control --stop --all
      service-control --start --all
  15. Restore the load balancer configuration.
    1. Open a Web browser and go to https://mgm01vc01.sfo01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

    3. From the vSphere Web Client Home menu, select Network & Security.
    4. In the Navigator, select NSX Edges.
    5. From the NSX Manager drop-down menu, select 172.16.11.65.
    6. Double-click the SFO01PSC01 edge device to open its network settings.
    7. On the Manage tab, click the Load Balancer tab and click Pools.
    8. Select pool-1 and click Edit.
    9. Select the comp01psc01 member, click Edit, select Enabled from the State drop-down menu and click OK.
    10. Repeat Step h and Step i to enable comp01psc01 in pool-2.
  16. Repeat Step 14 to restart the services on the Compute vCenter Server comp01vc01.sfo01.rainpole.local in Region A and on the vCenter Server instances mgmt01vc51.lax01.rainpole.local and comp01vc51.lax01.rainpole.local in Region B.

What to do next

If you replace only the certificate of the Platform Services Controller instances, reconnect the NSX Managers to the Platform Services Controller load balancer and to vCenter Server after you install the custom certificates on the nodes. See Connect NSX Manager to the Management vCenter Server in Region A.

If you replace the certificates of vCenter Server after those of the Platform Services Controllers, see Replace the vCenter Server Certificate Files in Region A.