Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates signed by the Microsoft certificate authority (MSCA) for all management products with a single operation.

For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215 and VMware Validated Design Planning and Preparation.

Prerequisites

  • Provide a Window Server 2012 host that is part of the sfo01.rainpole.local domain.

  • Install an intermediate Certificate Authority server on the sfo01.rainpole.local domain.

Procedure

  1. Log in to a Windows host that has access to your data center.
  2. Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
  3. In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that the following properties are configured. 
    ORG=Rainpole Inc.
OU=Rainpole.local
LOC=SFO
ST=CA
CC=US
CN=VMware_VVD
keysize=2048
  5. Verify that the C:\CertGenVVD-version\ConfigFiles folder contains only the following files.
    Table 1. Certificate Generation Files for Region A

    Host Name or Service in Region A

    Configuration Files

    Virtual Infrastructure Layer

    Platform Services Controller

    • sfo01psc01.sfo01.rainpole.local

    • sfo01m01psc01.sfo01.rainpole.local

    • sfo01w01psc01.sfo01.rainpole.local

    sfo01psc01.txt

    vCenter Server

    sfo01m01vc01.sfo01.rainpole.local

    sfo01m01vc01.txt

    sfo01w01vc01.sfo01.rainpole.local

    sfo01w01vc01.txt

    ESXi Hosts

    sfo01m01esx01.sfo01.rainpole.local

    sfo01m01esx01.txt

    sfo01m01esx02.sfo01.rainpole.local

    sfo01m01esx02.txt

    sfo01m01esx03.sfo01.rainpole.local

    sfo01m01esx03.txt

    sfo01m01esx04.sfo01.rainpole.local

    sfo01m01esx04.txt

    sfo01w01esx01.sfo01.rainpole.local

    sfo01w01esx01.txt

    sfo01w01esx02.sfo01.rainpole.local

    sfo01w01esx02.txt

    sfo01w01esx03.sfo01.rainpole.local

    sfo01w01esx03.txt

    sfo01w01esx04.sfo01.rainpole.local

    sfo01w01esx04.txt

    NSX Manager

    sfo01m01nsx01.sfo01.rainpole.local

    sfo01m01nsx01.txt

    sfo01w01nsx01.sfo01.rainpole.local

    sfo01w01nsx01.txt

    Site Recovery Manager and vSphere Replication

    sfo01m01srm01.sfo01.rainpole.local

    sfo01m01srm01.txt

    sfo01m01vrms01.sfo01.rainpole.local

    sfo01m01vrms01.txt

    Cloud Management Platform Layer

    vRealize Automation

    • vra01svr01.rainpole.local

    • vra01svr01a.rainpole.local

    • vra01svr01b.rainpole.local

    • vra01iws01.rainpole.local

    • vra01iws01a.rainpole.local

    • vra01iws01b.rainpole.local

    • vra01ims01.rainpole.local

    • vra01ims01a.rainpole.local

    • vra01ims01b.rainpole.local

    • vra01dem01a.rainpole.local

    • vra01dem01b.rainpole.local

    vra.txt

    vRealize Business Server

    vrb01svr01.rainpole.local

    vrb.txt

    Operations Management Layer

    vRealize LifeCycle Manager

    vrslcm01svr01a.rainpole.local

    vrslcm01svr01a.txt

    vRealize Operations Manager

    • vrops01svr01.rainpole.local

    • vrops01svr01a.rainpole.local

    • vrops01svr01b.rainpole.local

    • vrops01svr01c.rainpole.local

    vrops.txt

    vRealize Log Insight

    • sfo01vrli01.sfo01.rainpole.local

    • sfo01vrli01a.sfo01.rainpole.local

    • sfo01vrli01b.sfo01.rainpole.local

    • sfo01vrli01c.sfo01.rainpole.local

    vrli.sfo01.txt

  6. Verify that each configuration file includes FQDNs and host names in the dedicated sections.

    For example, the configuration files for the Platform Service Controller instances must contain the following properties:

    sfo01psc01.txt 

    [CERT] 
NAME=default
ORG=default 
OU=default
LOC=SFO
ST=default
CC=default
CN=sfo01psc01.sfo01.rainpole.local
keysize=default
[SAN]
sfo01psc01.sfo01.rainpole.local
sfo01m01psc01.sfo01.rainpole.local
sfo01w01psc01.sfo01.rainpole.local
  7. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder. 
    cd C:\CertGenVVD-version
  8. Grant permissions to run third-party PowerShell scripts. 
    Set-ExecutionPolicy Unrestricted
  9. Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy. 
    .\CertgenVVD-version.ps1 -validate
  10. Generate MSCA-signed certificates. 
    .\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -inter
  11. In the C:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts subfolder.
  12. In C:\CertGenVVD-version\SignedByMSCACerts\Root64 subfolder, rename chainRoot64.cer to Root64.cer.

What to do next

Replace the product certificates with the certificates that the CertGenVVD utility has generated. See Replace Certificates of the Virtual Infrastructure Components in Region A, Replace Certificates of the Operations Management Components in Region A, and Replace Certificates of the Cloud Management Platform Components in Region A.