Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates that are signed by the Microsoft certificate authority (MSCA) for all management product with a single operation.

About this task

For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215.

Prerequisites

  • If you use an intermediate CA such as dc03rpl.rainpole.local, make sure the Windows host that you use to connect to the data center is a part of the rainpole.local domain.

Procedure

  1. Log in to a Windows host that has access to your data center.
  2. Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
  3. In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=NYC
    ST=NY
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that only the c:\CertGenVVD-version\ConfigFiles folder contains only following files.
    • nyc01esx01.txt

    • nyc01esx02.txt

    • nyc01esx03.txt

    • nyc01esx04.txt

    • nyc01vc01.txt

    • nyc01nsxm01.txt

    • nyc01vdp01.txt

    • nyc01vrli01.txt

  6. If any of the files does not exist, create it so that you can generate the required certificates for the ROBO.
    1. Create a new file in a text editor, add the following properties are configured and save it as nyc01esx01.txt.

      nyc01esx01.txt

      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01esx01.rainpole.local
      keysize=default
      [SAN]
      nyc01esx01
      nyc01esx01.rainpole.local
    2. Repeat the steps for each of the missing configuration files.

      nyc01esx02.txt

      nyc01esx03.txt

      nyc01esx04.txt

      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01esx02.rainpole.local
      keysize=default
      [SAN]
      nyc01esx02
      nyc01esx02.rainpole.local
      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01esx03.rainpole.local
      keysize=default
      [SAN]
      nyc01esx03
      nyc01esx03.rainpole.local
      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01esx04.rainpole.local
      keysize=default
      [SAN]
      nyc01esx04
      nyc01esx04.rainpole.local

      nyc01vc01.txt

      nyc01nsxm01.txt

      nyc01vdp01.txt

      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01vc01.rainpole.local
      keysize=default
      [SAN]
      nyc01vc01
      nyc01vc01.rainpole.local
      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01nsxm01.rainpole.local
      keysize=default
      [SAN]
      nyc01nsxm01
      nyc01nsxm01.rainpole.local
      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01vpd01.rainpole.local
      keysize=default
      [SAN]
      nyc01vpd01
      nyc01vpd01.rainpole.local

      nyc01vrli01.txt

      [CERT] 
      NAME=default
      ORG=default 
      OU=default
      LOC=default
      ST=default
      CC=default
      CN=nyc01vrli01-cluster01.rainpole.local
      keysize=default
      [SAN]
      nyc01vrli01-cluster01
      nyc01vrli01
      nyc01vrli02
      nyc01vrli03
      nyc01vrli01-cluster01.rainpole.local
      nyc01vrli01.rainpole.local
      nyc01vrli02.rainpole.local
      nyc01vrli03.rainpole.local
  7. Open a Windows PowerShell prompt and navigate to the CertGenVVD-version folder.

    For example, of you use CertGenVVD 2.1, navigate to the following folder:

    cd C:\CertGenVVD-2.1
  8. Run the following command to grant PowerShell permissions to run third-party shell scripts.
    Set-ExecutionPolicy Unrestricted
  9. Run the following command to validate prerequisites for running the utility.

    Verify that VMware is included in the available CA Template Policy.

    .\CertgenVVD-2.1.ps1 -validate
  10. Run the following command to generate MSCA-signed certificates.
    .\CertGenVVD-2.1.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
  11. In the c:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts sub-folder.