Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificate signing request (CSR) files for the management components in the Consolidated SDDC that you can send to a third-party certificate authority. After you receive the CA-signed certificates, run the CertGenVVD utility to convert the certificate for each component in the format that the component supports.
About this task
You can then replace the certificates on these components, for example, if they are about to expire or are compromised.
Provide a Windows Server 2012 host that is that has access to your data center.
- Log in to a Windows host that has access to your data center.
- Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
- In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
- Verify that following properties are configured.
ORG=Rainpole Inc. OU=Rainpole.local LOC=SFO ST=CA CC=US CN=VMware_VVD keysize=2048
- Verify that only the C:\CertGenVVD-version\ConfigFiles folder contains only following files.
Table 1. Certificate Generation Files for Consolidated SDDC
Host Name or Service in Consolidated SDDC
Virtual Infrastructure Layer
Platform Services Controller
vSphere Data Protection
Cloud Management Platform Layer
vRealize Business Server
Operations Management Layer
vRealize Operations Manager
vRealize Log Insight
- Verify that each configuration file includes FQDN and host names in the dedicated sections.
For example, the configurations files for the Platform Service Controller instances must contain the following properties:
[CERT] NAME=default ORG=default OU=default LOC=SFO ST=default CC=default CN=sfo01w01psc01.sfo01.rainpole.local keysize=default [SAN] sfo01w01psc01 sfo01w01psc01.sfo01.rainpole.local
- Open a Windows PowerShell prompt and navigate to the folder of the CertGenVVD utility.
- Grant permissions to run third-party PowerShell scripts.
- Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
- Generate certificate request files for the management components in the SDDC.
- Locate the CSR files in the C:\CertGenVVD-version\CSRCerts folder and send it to the third-party CA to get the signed certificates.
- After you obtain all the signed certificate files and the root CA certificate, move the signed certificate files back to each directory where the CSR files reside.
- In a command prompt, navigate to the folder that contains the CA root certificate and rename it to Root64.cer.
- If the certificates are signed by multiple intermediate CAs, concatenate the certificates in one certificate chain file by running the following command.
copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer
- Move the Root64.cer to the C:\CertGenVVD-version\CSRCerts\Root64 folder.
- Run CertGenVVD tool with the -CSR and -extra command options to generate all certificates that are required for the SDDC management components.
.\CertGenVVD-version.ps1 –CSR -extra
- After CertGenVVD generates the certificates, go to C:\CertGenVVD-version\CSRCerts\Root64 folder and rename Root64.cer to chainRoot64.cer.
What to do next
Replace the product certificates with the certificates that the CertGenVVD utility has generated. See Replace the Certificates of the Management Products for Consolidated SDDC.