After you deploy the load balancer for the Platform Services Controller instances in Region B, replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA) on the child Active Directory (AD) server.

Since the Platform Services Controllers will be load balanced the machine certificate on both must be the same. The certificate must have a common name of the load-balanced Fully Qualified Domain Name (FQDN) and each Platform Service Controllers FQDN and short name along with the load balanced FQDN and short name must be in the Subject Alternate Name (SAN) of the generated certificate.

You replace certificates twice: on the Platform Services Controller for the Management vCenter Server mgmt01psc51.lax01.rainpole.local and on the Platform Services Controller for the Compute vCenter Server comp01psc51.lax01.rainpole.local. You start replacing certificates on Platform Services Controller mgmt01psc51.lax01.rainpole.local first. 

Table 1. Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate File Name

Replacement Order








  1. Log in to a Windows host that has access to both the AD server and the Platform Services Controllers as an administrator.
  2. Generate the certificate for the Platform Services Controllers.
    1. Download the VMware Validated Design Certificate Generation Utility from VMware Knowledge Base article 2146215.
    2. Extract the contents of the zip file to the C:\ drive.
    3. Open a Windows PowerShell prompt as an administrator and navigate to the C:\CertGenVVD-version folder.
    4. Run Set-ExecutionPolicy RemoteSigned.
    5. Run the following command to generate the certificate for the Platform Services Controller.

      For example, you use the following command if you have downloaded version 2.1 of the utility.

      .\CertGenVVD-2.1.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
    6. The certificate and supporting files are saved to the C:\CertGenVVD\SignedByMSCACerts folder.
  3. Change the appliance shell to Bash shell to enable copying files to the appliance using the Secure Copy Protocol (SCP).
    1. Open an SSH connection to mgmt01psc51.lax01.rainpole.local and log in with the following credentials.







    2. Run the following commands.
      chsh -s /bin/bash root
  4. Copy the generated certificates from the Windows host to the Platform Services Controller appliance.

    Use scp, WinSCP or FileZilla.

    1. Copy the contents of the C:\CertGenVVD\SignedByMSCACerts\lax01psc51.lax01 folder to /tmp/certs.
    2. Copy the Root64.cer file from C:\CertGenVVD\SignedByMSCACerts\RootCA folder to /tmp/certs.
  5. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate)
    3. Enter default vCenter Single Sign-On user name administrator@vsphere.local and  the vsphere_admin password.
    4. Select  Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /tmp/certs/lax01psc51.lax01.1.cer.
    6. When prompted for the custom key, enter /tmp/certs/lax01psc51.lax01.key.
    7. When prompted for the signing certificate, enter /tmp/certs/Root64.cer.
    8. When prompted to Continue operation, enter Y.

    9. The Platform Services Controller services restart automatically.
  6. Repeat Step 3 to Step 5 to replace the certificate on the Compute Platform Services Controller, comp01psc51.lax01.rainpole.local, in Region B.