You replace the machine SSL certificate on the vCenter Server instance in the ROBO with a custom certificate that is signed by the certificate authority (CA).

About this task

Table 1. Certificate-Related Files on Platform Services Controllers

vSphere vCenter Server

Certificate File Name

nyc01vc01.rainpole.local

  • nyc01vc01.key

  • nyc01vc01.3.pem (CertGenVVD)

  • chainRoot64.cer

Procedure

  1. Disconnect the NSX Manager from the embedded Platform Services Controller on the vCenter Server instance in the ROBO temporarily.
    1. Open a Web Browser and go to https://nyc01nsxm01.rainpole.local.
    2. Log in using the following credentials

      Setting

      Value

      User name

      admin

      Password

      nsx_manager_admin_password

    3. Click Manage vCenter Registration
    4. Click the Unconfigure button next to Lookup Service URL.
  2. Log in to the vCenter Server appliance by using a Secure Shell (SSH) client.
    1. Open an SSH connection to nyc01vc01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      Username

      root

      Password

      vc_root_password

  3. Change the vCenter Server command shell to the Bash shell so that you can use secure copy scp connections.
    shell
    chsh -s /bin/bash root
  4. Copy the generated certificate files nyc01vc01.key, nyc01vc01.3.pem and chainRoot64.cer from the Windows host to the /tmp/ssl directory on the vCenter Server Appliance.

    Use scp, FileZilla or WinSCP to copy the files.

  5. Rename nyc01vc01.3.pem to nyc01vc01.1.chain.cer.
  6. Add the root certificate to the VMware Endpoint Certificate Store as a trusted root certificate using following command.

    Enter the vCenter Single Sign-On password when prompted.

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ssl/chainRoot64.cer
  7. Replace the certificate on vCenter Server.
    1. Start the vSphere Certificate Manager utility on vCenter Server.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate)
    3. Enter default vCenter Single Sign-On user name administrator@vsphere.local and  the vsphere_admin_password password.
    4. Select  Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /tmp/ssl/nyc01vc01.1.chain.cer.
    6. When prompted for the custom key, enter /tmp/ssl/nyc01vc01.key.
    7. When prompted for the signing certificate, enter /tmp/ssl/chainRoot64.cer.
    8. When prompted to continue operation, enter Y.
    9. Wait until the vCenter Server services restart successfully.
  8. Validate that the new certificate has been installed successfully.
    1. Open a Web Browser and go to https://nyc01vc01.rainpole.local.
    2. Verify that the Web browser shows the new certificate.
  9. Restart the VAMI service to update certificate for the appliance management interface.
    1. Go back to the nyc01vc01.rainpole.local SSH terminal.
    2. Enter the following command to update certificate for the appliance management interface.
      /etc/init.d/vami-lighttp restart
  10. Switch the command shell back to the appliance shell.
    chsh -s /bin/appliancesh root
  11. If you plan to keep the certificate of the NSX Manager unchanged after you replace the certificate of vCenter Server, reconnect the NSX Manager instance to vCenter Server.
    1. Open a Web Browser and go to https://nyc01nsxm01.rainpole.local.
    2. Log in using the following credentials

      Setting

      Value

      User name

      admin

      Password

      nsx_manager_admin_password

    3. Click Manage vCenter Registration
    4. Under Lookup Service, click Edit.  
    5. In the Lookup Service dialog box, enter the following settings and click OK.

      Setting

      Value

      Lookup Service IP

      nyc01vc01.rainpole.local

      Lookup Service Port

      443

      SSO Administrator User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

    6. In the Trust Certificate? dialog box, click Yes.  
    7. Under vCenter Server, click Edit.  
    8. In the vCenter Server dialog box, enter the following settings, and click OK.

      Setting

      Value

      vCenter Server

      nyc01vc01.rainpole.local

      vCenter User name

      svc-nsxmanager@rainpole.local

      Password

      svc-nsxmanager_password

    9. In the Trust Certificate? dialog box, click Yes.  
    10. Wait for the Status indicators for the Lookup Service and vCenter Server to change to the Connected status.