Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates that are signed by the Microsoft certificate authority (MSCA) for all management product with a single operation.

Prerequisites

Read VMware Knowledge Base article 2146215.

Procedure

  1. Log in as AD administrator to a Windows Server 2012 host that is a part of rainpole.local domain and has access to the data center.
  2. Download the Certificate Generation Utility from the Knowledge Base article and extract it on the host.
    1. Open the VMware Knowledge Base article in a Web browser.
    2. Extract CertGenVVD-version.zip to the C: drive.
  3. In the c:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=SFO
    ST=CA
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that only the following files are available in the c:\CertGenVVD-version\ConfigFiles folder.
    Table 1. Certificate Generation Files for Region A

    Host Name or Service in Region A

    Configuration Files

    Virtual Infrastructure Layer

    Platform Services Controller

    • sfo01psc01.sfo01.rainpole.local

    • sfo01m01psc01.sfo01.rainpole.local

    • sfo01w01psc01.sfo01.rainpole.local

    sfo01psc01.txt

    vCenter Server

    sfo01m01vc01.sfo01.rainpole.local

    sfo01m01vc01.txt

    sfo01w01vc01.sfo01.rainpole.local

    sfo01w01vc01.txt

    NSX Manager

    sfo01m01nsx01.sfo01.rainpole.local

    sfo01m01nsx01.txt

    sfo01w01nsx01.sfo01.rainpole.local

    sfo01w01nsx01.txt

    vSphere Data Protection

    sfo01m01vdp01.sfo01.rainpole.local

    sfo01m01vdp01.txt

    Site Recovery Manager and vSphere Replication

    sfo01m01srm01.sfo01.rainpole.local

    sfo01m01srm01.txt

    sfo01m01vrms01.sfo01.rainpole.local

    sfo01m01vrms01.txt

    Cloud Management Platform Layer

    vRealize Automation

    • vra01svr01.rainpole.local

    • vra01svr01a.rainpole.local

    • vra01svr01b.rainpole.local

    • vra01iws01.rainpole.local

    • vra01iws01a.rainpole.local

    • vra01iws01b.rainpole.local

    • vra01ims01.rainpole.local

    • vra01ims01a.rainpole.local

    • vra01ims01b.rainpole.local

    • vra01dem01a.rainpole.local

    • vra01dem01b.rainpole.local

    vra.txt

    vRealize Business Server

    vrb01svr01.rainpole.local

    vrb.txt

    Operations Management Layer

    vRealize Operations Manager

    • vrops01svr01.rainpole.local

    • vrops01svr01a.rainpole.local

    • vrops01svr01b.rainpole.local

    • vrops01svr01c.rainpole.local

    vrops-forVVD4.x.txt

    vRealize Log Insight

    • sfo01vrli01.sfo01.rainpole.local

    • sfo01vrli01a.sfo01.rainpole.local

    • sfo01vrli01b.sfo01.rainpole.local

    • sfo01vrli01c.sfo01.rainpole.local

    vrli.sfo01.txt

    Table 2. Certificate Generation Files for Region B

    Host Name or Service in Region B

    Configuration Files

    Virtual Infrastructure Layer

    Platform Services Controller

    • lax01psc01.lax01.rainpole.local

    • lax01m01psc01.lax01.rainpole.local

    • lax01w01psc01.lax01.rainpole.local

    lax01psc01.txt

    vCenter Server

    lax01m01vc01.lax01.rainpole.local

    lax01m01vc01.txt

    lax01w01vc01.lax01.rainpole.local

    lax01w01vc01.txt

    NSX Manager

    lax01m01nsx01.sfo01.rainpole.local

    lax01m01nsx01.txt

    lax01w01nsx01.sfo01.rainpole.local

    lax01w01nsx01.txt

    vSphere Data Protection

    lax01m01vdp01.lax01.rainpole.local

    lax01m01vdp01.txt

    Site Recovery Manager and vSphere Replication

    lax01m01srm01.lax01.rainpole.local

    lax01m01srm01.txt

    lax01m01vrms01.lax01.rainpole.local

    lax01m01vrms01.txt

    Operations Management Layer

    vRealize Log Insight

    • lax01vrli01.lax01.rainpole.local

    • lax01vrli01a.lax01.rainpole.local

    • lax01vrli01b.lax01.rainpole.local

    • lax01vrli01c.lax01.rainpole.local

    vrli.lax01.txt

  6. Verify that each configuration file includes FQDNs and host names in the dedicated sections.

    For example, the configurations files for the Platform Service Controller instance must contain the following properties:

    sfo01psc01.txt

    lax01psc01.txt

    [CERT]
    NAME=default
    ORG=default
    OU=default
    LOC=SFO
    ST=default 
    CC=default 
    CN=sfo01psc01.sfo01.rainpole.local
    keysize=default
    [SAN]
    sfo01psc01
    sfo01m01psc01
    sfo01w01psc01
    sfo01psc01.sfo01.rainpole.local
    sfo01m01psc01.sfo01.rainpole.local
    sfo01w01psc01.sfo01.rainpole.local
    
    [CERT]
    NAME=default
    ORG=default
    OU=default
    LOC=LAX
    ST=default 
    CC=default 
    CN=lax01psc01.lax01.rainpole.local
    keysize=default
    [SAN]
    lax01psc01
    lax01m01psc01
    lax01w01psc01
    lax01psc01.lax01.rainpole.local
    lax01m01psc01.lax01.rainpole.local
    lax01w01psc01.lax01.rainpole.local
    
  7. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
    cd C:\CertGenVVD-version
  8. Grant permissions to run third-party PowerShell scripts.
    Set-ExecutionPolicy Unrestricted
  9. Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
    .\CertgenVVD-version.ps1 -validate
  10. Generate the MSCA-signed certificates.
    .\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
  11. In the C:\CertGenVVD-version folder, verify that the utility has created the SignedByMSCACerts sub-folder.

What to do next

Replace the default product certificates with the certificates that the CertGenVVD utility has generated at deployment time or later if a certificate expires.