After you obtain signed certificates for the management ESXi hosts in Region B, use them to replace the default VMware Certificate Authority (VMCA) signed certificates on the hosts.

About this task

You replace the certificate separately on each hosts in the management cluster and in the shared edge and compute cluster.

Table 1. Certificate Files Names for the Management Hosts in Region B

ESXi Hosts

Certificate File Names

lax01m01esx01.lax01.rainpole.local

  • lax01m01esx01.key

  • lax01m01esx01.1.cer

lax01m01esx02.lax01.rainpole.local

  • lax01m01esx02.key

  • lax01m01esx02.1.cer

lax01m01esx03.lax01.rainpole.local

  • lax01m01esx03.key

  • lax01m01esx03.1.cer

lax01m01esx04.lax01.rainpole.local

  • lax01m01esx04.key

  • lax01m01esx04.1.cer

Procedure

  1. Replace the certificates on ESXi hosts.
    1. Open a Web browser and go to https://lax01m01vc01.lax01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      vcenteradmin

      Password

      vshpere_admin_password

    3. Under System, click Security Profile, scroll down to Lockdown Mode, and click Edit.
    4. In the Lockdown Mode dialog box, select Disabled and click OK.
    5. Scroll up to the Services pane and click Edit.
    6. In Edit Security Profile dialog box, select SSH
    7. Click on Start button if the status is not showing up as Running
    8. Click on OK to close the Edit Security Profile Pop up Window.
  2. Place the host in maintenance mode.
    1. Under the lax01-m01dc data center, right-click the lax01m01esx01.lax01.rainpole.local host object and select Maintenance Mode > Enter Maintenance Mode.
    2. In the Confirm Maintenance Mode dialog box, select Move powered-off and suspended virtual machines to other hosts in the cluster and click OK.
  3. Replace the certificate files on the host.
    1. After the maintenance task is complete, open an SSH connection to the lax01m01esx01.lax01.rainpole.local host using the following credentials.

      Option

      Description

      User name

      root

      Password

      esxi_root_user_password

    2. Copy the lax01m01esx01.key and lax01m01esx01.1.cer files from the Windows host where you run the CertGenVVD tool to the /etc/vmware/ssl directory on the host.
    3. Run the following commands to back up the present certificate and key files and to replace them with the generated files.
      cd /etc/vmware/ssl
      cat rui.crt >> rui.bak
      cat rui.key >> rui.bak
      mv lax01m01esx01.key rui.key
      mv lax01m01esx01.1.cer rui.crt
  4. Restart the management agents on the host.
    1. Run the dcui command to open the Direct Console User Interface (DCUI).
    2. Press the F12 key to access the System Customization menu.
    3. Select Troubleshooting Options and press Enter.
    4. Select Restart Management Agents and press Enter.
    5. Press F11 key to confirm the restart and press Enter to confirm completion.
    6. Press Control-C to close dcui application.
    7. Run the following commands to restart the vsanvpd and vsanmgmtd services
      /etc/init.d/vsanvpd restart
      /etc/init.d/vsanmgmtd restart
  5. Verify that the custom certificate is installed.
    1. Open a Web browser and go to https://lax01m01esx01.lax01.rainpole.local.
    2. Verify that the certificate returned by the host is signed by Rainpole instead of by VMware.
  6. Exit maintenance mode of the host.
    1. Open a Web browser and go to https://lax01m01vc01.lax01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vshpere_admin_password

    3. From the Home menu, select Hosts and Clusters.
    4. Under the lax01-m01dc data center, right-click the lax01m01esx01.lax01.rainpole.local host object and select Maintenance Mode > Exit Maintenance Mode.
    5. Make sure that no warning message about an untrusted lax01m01esx01.lax01.rainpole.local certificate appears.
  7. Reconnect the ESXi host to vCenter Server to refresh the host certificate on vCenter Server.
    1. Under the lax01-m01dc data center, right-click the lax01m01esx01.lax01.rainpole.local vCenter Server object and select Connection > Disconnect.
    2. Click Yes in the Confirm Disconnect popup window.
    3. Wait until the host is disconnected.
    4. Under the lax01-m01dc data center, right-click the lax01m01esx01.lax01.rainpole.local host object and select Connection > Connect.
    5. In the Navigator, under Hosts and Cluster, select lax01m01esx01.lax01.rainpole.local, and click the Configure tab.
    6. Under System, select Certificates and verify that the certificate displayed for the host is the new one.
  8. Verify that the storage providers are online for the ESXi host.
    1. Under the lax01-m01dc data center, select the lax01m01vc01.lax01.rainpole.local vCenter Server object and click the Configure tab.
    2. Under More, select Storage Providers.
    3. Verify the status for the http://lax01m01esx01.lax01.rainpole.local:8080/version.xml URL for vSAN storage provider is Online.
    4. If the status of the URL is different from Online, select the URL, click the Unregister the selected storage provider icon, and click Synchronizes all the storage providers with the current states of the environment icon.
  9. Repeat the procedure for the rest of the management ESXi hosts in Region B.