To establish trusted connection with the other SDDC management components, you replace the default or expiring machine SSL certificate on each Platform Services Controller instance in the region with a custom certificate. The certificate, generated by the CertGenVVD utility, is signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate Active Directory (AD) server.

About this task

Table 1. Certificate-Related Files on Platform Services Controller Instance

Platform Services Controller

Certificate File Name

sfo01w01psc01.sfo01.rainpole.local

  • sfo01w01psc01.1.cer

  • sfo01w01psc01.key

  • Root64.cer

Procedure

  1. Open a Secure SHell connection to the Platform Services Controller virtual machine.
    1. Open an SSH connection to sfo01w01psc01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      Username

      root

      Password

      psc_root_password

  2. To allow secure copy (scp) connections for the root user, change the Platform Services Controller command shell to the Bash shell.
    shell
    chsh -s "/bin/bash" root
  3. Copy the generated certificates to the Platform Services Controller.
    1. Run the following command to create a new temporary folder.
      mkdir -p /root/certs
    2. Copy the certificate files sfo01w01psc01.1.cer, sfo01w01psc01.key, and Root64.cer to the /root/certs folder.

      You can use an scp software like WinSCP.

  4. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
    3. Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin password.
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /root/certs/sfo01w01psc01.1.cer.
    6. When prompted for the custom key, enter /root/certs/sfo01w01psc01.key.
    7. When prompted for the signing certificate, enter /root/certs/Root64.cer.
    8. When prompted to Continue operation, enter Y.

      The Platform Services Controller services automatically restart.

  5. Verify that the new certificate has been installed successfully.
    1. Open a Web Browser and go to https://sfo01w01psc01.sfo01.rainpole.local.
    2. Verify that the Web browser shows the new certificate.
  6. After Certificate Manager replaces the certificates, restart the vami-lighttp service to update the certificate in the virtual application management interface (VAMI) and to remove certificate files from Platform Services Controller.

    service vami-lighttp restart
    cd /root/certs
    
    rm sfo01w01psc01.1.cer sfo01w01psc01.key Root64.cer
  7. Switch the shell back to the appliance shell.
    chsh -s /bin/appliancesh root