Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates that are signed by the Microsoft certificate authority (MSCA) for all management product with a single operation.

About this task

For complete information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215.

Procedure

  1. Log in to a Windows Server 2012 host that has access to the data center as AD administrator and is part of rainpole.local domain.
  2. Download and extract the Certificate Generation Utility from VMware Knowledge Base article 2146215.
    1. Open the VMware Knowledge Base article in a Web browser.
    2. Extract CertGenVVD-version.zip to the C: drive.
  3. In the c:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=SFO
    ST=CA
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that only the following files are available in the c:\CertGenVVD-version\ConfigFiles folder.
    • comp01nsxm01.sfo01.txt

    • comp01nsxm51.lax01.txt

    • comp01vc01.sfo01.txt

    • comp01vc51.lax01.txt

    • mgmt01nsxm01.sfo01.txt

    • mgmt01nsxm51.lax01.txt

    • sfo01psc01.sfo01.txt

    • lax01psc51.lax01.txt

    • mgmt01srm01.sfo01.txt

    • mgmt01srm51.lax01.txt

    • mgmt01vc01.sfo01.txt

    • mgmt01vc51.lax01.txt

    • mgmt01vdp01.sfo01.txt

    • mgmt01vdp51.lax01.txt

    • mgmt01vrms01.sfo01.txt

    • mgmt01vrms51.lax01.txt

    • vra.txt

    • vrb.txt

    • vrli.lax01.txt

    • vrli.sfo01.txt

    • vro.txt

    • vrops.txt

  6. If sfo01psc01.sfo01.txt or lax01psc51.lax01.txt does not exist, make a copy of mgmt01vc01.sfo01.txt and save it as sfo01psc01.sfo01.txt or lax01psc51.lax01.txt.
  7. Open the copied file in a text editor, and verify that the following properties are configured.

    sfo01psc01.sfo01.txt

    lax01psc51.lax01.txt

    [CERT] 
    NAME=default
    ORG=default 
    OU=default
    LOC=SFO
    ST=default
    CC=default
    CN=sfo01psc01.sfo01.rainpole.local
    keysize=default
    [SAN]
    comp01psc01
    mgmt01psc01
    comp01psc01.sfo01.rainpole.local
    mgmt01psc01.sfo01.rainpole.local
    sfo01psc01
    sfo01psc01.sfo01.rainpole.local
    [CERT] 
    NAME=default
    ORG=default 
    OU=default
    LOC=LAX
    ST=default
    CC=default
    CN=lax01psc51.lax01.rainpole.local
    keysize=default
    [SAN]
    comp01psc51
    mgmt01psc51
    comp01psc51.lax01.rainpole.local
    mgmt01psc51.lax01.rainpole.local
    lax01psc51
    lax01psc51.lax01.rainpole.local
  8. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.

    For example, run the following command if you use version 2.1 of the Certificate Generation Utility.

    cd c:\CertGenVVD-2.1
  9. Run the following command to grant PowerShell permissions to run third -party shell scripts.
    Set-ExecutionPolicy RemoteSigned
  10. Run the following command to validate prerequisites for running the utility.

    Verify that VMware is included in the available CA Template Policy.

    .\CertgenVVD-2.1.ps1 -validate
  11. Run the following command to generate MSCA-signed certificates.
    .\CertGenVVD-2.1.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
  12. In the c:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts sub-folder.

What to do next

Replace the default product certificates with the certificates that the CertGenVVD utility has generated at deployment time or later if a certificate expires.