Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificate signing request (CSR) files that you can send to a third-party certificate authority and receive CA-signed certificates for the management components in Region B.

Prerequisites

A Window host that is that has access to your data center.

Procedure

  1. Log in to a Windows host that has access to your data center.
  2. Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
  3. In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=LAX
    ST=CA
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that only the C:\CertGenVVD-version\ConfigFiles folder contains only following files.
    Table 1. Certificate Generation Files for Region B

    Host Name or Service in Region B

    Configuration Files

    Virtual Infrastructure Layer

    Platform Services Controller

    • lax01psc01.lax01.rainpole.local

    • lax01m01psc01.lax01.rainpole.local

    • lax01w01psc01.lax01.rainpole.local

    lax01psc01.txt

    vCenter Server

    lax01m01vc01.lax01.rainpole.local

    lax01m01vc01.txt

    lax01w01vc01.lax01.rainpole.local

    lax01w01vc01.txt

    ESXi Hosts

    lax01m01esx01.lax01.rainpole.local

    lax01m01esx01.txt

    lax01m01esx02.lax01.rainpole.local

    lax01m01esx02.txt

    lax01m01esx03.lax01.rainpole.local

    lax01m01esx03.txt

    lax01m01esx04.lax01.rainpole.local

    lax01m01esx04.txt

    lax01w01esx01.lax01.rainpole.local

    lax01w01esx01.txt

    lax01w01esx02.lax01.rainpole.local

    lax01w01esx02.txt

    lax01w01esx03.lax01.rainpole.local

    lax01w01esx03.txt

    lax01w01esx04.lax01.rainpole.local

    lax01w01esx04.txt

    NSX Manager

    lax01m01nsx01.lax01.rainpole.local

    lax01m01nsx01.txt

    lax01w01nsx01.lax01.rainpole.local

    lax01w01nsx01.txt

    vSphere Data Protection

    lax01m01vdp01.lax01.rainpole.local

    lax01m01vdp01.txt

    Site Recovery Manager and vSphere Replication

    lax01m01srm01.lax01.rainpole.local

    lax01m01srm01.txt

    lax01m01vrms01.lax01.rainpole.local

    lax01m01vrms01.txt

    Operations Management Layer

    vRealize Log Insight

    • lax01vrli01.lax01.rainpole.local

    • lax01vrli01.lax01a.rainpole.local

    • lax01vrli01.lax01b.rainpole.local

    • lax01vrli01.lax01c.rainpole.local

    vrli.lax01.txt

  6. Verify that each configuration file includes FQDN and host names in the dedicated sections.
    1. For example, the configurations files for the Platform Service Controller instance must contain the following properties:

      lax01psc01.txt

      [CERT] NAME=default
      ORG=default
      OU=default 
      LOC=LAX
      ST=default 
      ORG=default
      OU=default
      LOC=LAX
      ST=default
      CC=default 
      CN=lax01psc01.lax01.rainpole.local
      keysize=default 
      [SAN] 
      lax01psc01
      lax01m01psc01
      lax01w01psc01
      lax01psc01.lax01.rainpole.local
      lax01m01psc01.lax01.rainpole.local 
      lax01w01psc01.lax01.rainpole.local
  7. Open a Windows PowerShell prompt and navigate to the folder of the CertGenVVD utility.
    cd C:\CertGenVVD-version
  8. Grant permissions to run third-party PowerShell scripts.
    Set-ExecutionPolicy Unrestricted
  9. Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
    .\CertgenVVD-version.ps1 -validate
  10. Generate certificate request files for the management components in the SDDC.
    .\CertGenVVD-version.ps1 -CSR
  11. Locate the CSR files in the C:\CertGenVVD-version\CSRCerts folder and send it to the third-party CA to get the signed certificates.
  12. After you obtain all the signed certificate files and the root CA certificate, move the signed certificate files back to each directory where the CSR files reside.
  13. In a command prompt, navigate to the folder that contains the CA root certificate and rename it to Root64.cer.
  14. If the certificates are signed by multiple intermediate CAs, concatenate the certificates in one certificate chain file by running the following command.
    copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer
  15. Move the Root64.certo the C:\CertGenVVD-version\CSRCerts\Root64 folder.
  16. Run CertGenVVD tool with the -CSR and -extra command options to generate all certificates that are required for the SDDC management components.
    .\CertGenVVD-version.ps1 –CSR -extra
  17. After CertGenVVD generates the certificates, go to C:\CertGenVVD-version\CSRCerts\Root64 folder and rename Root64.cer to chainRoot64.cer .

What to do next

Replace the product certificates with the certificates that the CertGenVVD utility has generated. See Replace Certificates of the Management Products in Region B.