Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate with a single operation certificates that are signed by the Microsoft certificate authority (MSCA) for all management product.

About this task

For complete information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215.

Procedure

  1. Log in to a Windows Server 2012 host that has access to the data center as AD administrator and is part of rainpole.local domain.
  2. Download and extract the Certificate Generation Utility from VMware Knowledge Base article 2146215.
    1. Open the VMware Knowledge Base article in a Web browser.
    2. Extract CertGenVVD-version.zip to the C: drive.
  3. In the c:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=SFO
    ST=CA
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that only the following files are available in the c:\CertGenVVD-version\ConfigFiles folder.

    Hostnames or Services

    Configuration Files

    SFO01 Plaform Services Controller

    • sfo01psc01.sfo01.rainpole.local

    • sfo01w01psc01.sfo01.rainpole.local

    SFO01 vCenter Server

    • sfo01w01vc01.sfo01.rainpole.local

    SFO01 NSX Manager

    • sfo01w01nsx01.sfo01.rainpole.local

    SFO01 VDP

    • sfo01m01vdp01.sfo01.rainpole.local

    SFO01 Plaform Services Controller

    • sfo01psc01.txt

    SFO01 vCenter Server

    • sfo01w01vc01.txt

    SFO01 NSX Manager

    • sfo01w01nsx01.txt

    SFO01 VDP

    • sfo01m01vdp01.txt

    SFO01 CMP vRealized Automation

    • vra01svr01.rainpole.local

    • vra01svr01a.rainpole.local

    • vra01iws01.rainpole.local

    • vra01iws01a.rainpole.local

    • vra01ims01.rainpole.local

    • vra01ims01a.rainpole.local

    SFO01 CMP vRealized Business Server

    • vrb01svr01.rainpole.local

    SFO01 CMP vRealized Automation

    • vra.txt

    SFO01 CMP vRealized Business Server

    • vrb.txt

    SFO01 Operations vRealize Operation

    • vrops01svr01.rainpole.local

    • vrops01svr01a.rainpole.local

    SFO01 Operations vRealize Log Insight

    • sfo01vrli01.rainpole.local

    • sfo01vrli01a.rainpole.local

    SFO01 Operations vRealize Operation

    • vrops-for1pod.txt

    SFO01 Operations vRealize Log Insight

    • vrli.sfo01.txt

  6. Please verify each configuration file includes FQDN and hostnames of its corsponding column.
    1. An example of sfo01psc01.txt configuration file is listed below

      sfo01psc01.txt

      [CERT]

      NAME=default

      ORG=default

      OU=default

      LOC=SFO

      ST=default

      CC=default

      CN=sfo01psc01.sfo01.rainpole.local

      keysize=default

      [SAN]

      sfo01psc01

      sfo01w01psc01

      sfo01psc01.sfo01.rainpole.local

      sfo01w01psc01.sfo01.rainpole.local

  7. Open a Windows PowerShell prompt and navigate to the c:\CertGenVVD-version folder.
    cd c:\CertGenVVD-version
  8. Run the following command to grant PowerShell permissions to run third -party shell scripts.
    Set-ExecutionPolicy Unrestricted
  9. Run the following command to validate the prerequisites for running the utility.

    Verify that VMware is included in the available CA Template Policy.

    .\CertgenVVD-version.ps1 -validate
  10. Run the following command to generate MSCA-signed certificates.
    .\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
  11. In the c:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts sub-folder.

What to do next

Replace the default product certificates with the certificates that the CertGenVVD utility has generated at deployment time or later if a certificate expires.