You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA) available on the parent Active Directory (AD) server.

About this task

You must repeat this procedure twice: first on the Platform Services Controller for the Management vCenter Server (mgmt01psc01.sfo01.rainpole.local), and then on the Platform Services Controller for the Compute vCenter Server (comp01psc01.sfo01.rainpole.local).

Table 1. Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate File Name

Replacement Order

mgmt01psc01.sfo01.rainpole.local

  • sfo01psc01.sfo01.1.cer

  • sfo01psc01.sfo01.key

  • root64.cer

First

comp01psc01.sfo01.rainpole.local

  • sfo01psc01.sfo01.1.cer

  • sfo01psc01.sfo01.key

  • root64.cer

Second

Procedure

  1. Change the Platform Services Controller command shell to the Bash shell to allow secure copy (scp) connections.
    1. SSH to mgmt01psc01.sfo01.rainpole.local and login using the following credentials.

      Setting

      Value

      Username

      root

      Password

      mgmtpsc_root_password

    2. Enter shell and press Enter.
    3. Run the command chsh -s "/bin/bash" root.
  2. Copy the generated certs to the Platform Services Controller.
    1. Use the scp command to copy the contents of the folder C:\CertGenVVD\SignedByMCSACerts\sfo01psc01.sfo01 to the folder /tmp/certs.
    2. Use the scp command to copy the Root64.cer file from the folder C:\CertGenVVD\SignedByMCSACerts\RootCA to the folder/tmp/certs.
  3. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
    3. Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin password.
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate enter /tmp/certs/sfo01psc01.sfo01.1.cer.
    6. When prompted for the custom key enter /tmp/certs/sfo01psc01.sfo01.key.
    7. When prompted for the signing certificate enter /tmp/certs/Root64.cer.
    8. When prompted to Continue operation enter Y.
    9. The Platform Services Controller services will restart automatically.
  4. Repeat steps Step 1 thru Step 3 to replace the certificate on comp01psc01.sfo01.rainpole.local.