Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate with a single operation certificates that are signed by the Microsoft certificate authority (MSCA) for all management components. In this way, you can skip sending Certificate Signing Requests to a third-party CA. The generated certificates are compliant with the requirements of the individual management components.
About this task
For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215 and the VMware Validated Design Planning and Preparation.
Provide a Window Server 2012 host that is part of the sfo01.rainpole.local domain.
Install an intermediate CA server on the sfo01.rainpole.local
- Log in to the Windows host that has access to your data center.
- Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
- In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
- Verify that following properties are configured.
ORG=Rainpole Inc. OU=Rainpole.local LOC=SFO ST=CA CC=US CN=VMware_VVD keysize=2048
- Verify that only the C:\CertGenVVD-version\ConfigFiles folder contains only following files.
Table 1. Certificate Generation Files for Consolidated SDDC
Host Name or Service in Consolidated SDDC
Platform Services Controller
vSphere Data Protection
Cloud Management Platform
vRealize Business Server
vRealize Operations Manager
vRealize Log Insight
- Verify that each configuration file includes FQDNs and host names in the dedicated sections.
For example, the configuration files for the Platform Service Controller instances must contain the following properties:
[CERT] NAME=default ORG=default OU=default LOC=SFO ST=default CC=default CN=sfo01w01psc01.sfo01.rainpole.local keysize=default [SAN] sfo01w01psc01 sfo01w01psc01.sfo01.rainpole.local
- Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
- Grant permissions to run third-party PowerShell scripts.
- Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
- Generate MSCA-signed certificates.
.\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -inter
- In the C:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts sub-folder.
What to do next
Replace the product certificates with the certificates that the CertGenVVD utility has generated. See Replace the Certificates of the Management Products for Consolidated SDDC.