You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA). You use the same certificate on the two instances.

About this task

The machine certificate on both Platform Services Controller instances in the region must be the same because they instances are load-balanced. The certificate must have a common name that is equal to the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, and the load-balanced FQDN and short name must be in the Subject Alternate Name (SAN) of the generated certificate.

You must repeat this procedure twice: first on the Platform Services Controller sfo01m01psc01.sfo01.rainpole.local, and then on the Platform Services Controller sfo01w01psc01.sfo01.rainpole.local.

Table 1. Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate File Name

Replacement Order

sfo01m01psc01.sfo01.rainpole.local

  • sfo01psc01.key

  • sfo01psc01.1.cer

  • chainRoot64.cer

First

sfo01w01psc01.sfo01.rainpole.local

  • sfo01psc01.key

  • sfo01psc01.1.cer

  • chainRoot64.cer

Second

Procedure

  1. Log in to vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://sfo01m01vc01.sfo01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

  2. Disable the Platform Services Controller for the shared edge and compute cluster fo01w01psc01 in the load balancer to route all traffic to the Platform Services Controller for the management cluster sfo01m01psc01.
    1. From the vSphere Web Client Home menu, select Network & Security.
    2. In the Navigator, select NSX Edges.
    3. From the NSX Manager drop-down menu, select 172.16.11.65.
    4. Double-click the sfo01psc01 edge device to open its network settings.
    5. On the Manage tab, click the Load Balancer tab and click Pools.
    6. Select pool-1 and click Edit.
    7. Select the sfo01w01psc01 member, click Edit, select Disable from the State drop-down menu, and click OK.
    8. Repeat the above to disable sfo01w01psc01 in pool-2.
  3. Log in to the sfo01m01psc01 Platform Services Controller by using a Secure Shell (SSH) client.
    1. Open an SSH connection to sfo01m01psc01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      sfo01m01psc01_root_password

  4. Change the Platform Services Controller command shell to the Bash shell.
    shell
    chsh -s "/bin/bash" root
  5. Copy the generated certificates to the Platform Services Controller.
    1. Run the following command to create a new temporary folder
      mkdir -p /root/certs
    2. Copy the certificate files sfo01psc01.1.cer, sfo01psc01.key and Root64.cer to the /root/certs folder.

      You can use an scp software like WinSCP.

  6. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
    3. Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin password.
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /root/certs/sfo01psc01.1.cer.
    6. When prompted for the custom key, enter /root/certs/sfo01psc01.key.
    7. When prompted for the signing certificate, enter /root/certs/chainRoot64.cer.
    8. When prompted to Continue operation, enter Y.
    9. The Platform Services Controller services restarts automatically.
  7. Verify that the new certificate has been installed successfully.
    1. Open a Web Browser and go to https://sfo01m01psc01.sfo01.rainpole.local.
    2. Verify that the Web browser shows the new certificate.
  8. After Certificate Manager replaces the certificates, run the following commands in the SSH terminal to restart the vami-lighttp service and to remove certificate files.
    service vami-lighttp restart
    cd /root/certs
    rm sfo01psc01.1.cer sfo01psc01.key chainRoot64.cer
  9. Switch the shell back to the appliance shell.
    chsh -s /bin/appliancesh root
  10. Repeat Step 3 to Step 9 to replace the certificate on sfo01w01psc01.sfo01.rainpole.local.