To establish a trusted connection with the other SDDC management components, you replace the machine SSL certificate on each Platform Services Controller instance in Region B with a custom certificate signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate Active Directory (AD) server.

The machine certificate on both Platform Services Controller instances in the region must be the same because they are load-balanced according to this Validated Design. The certificate must have a common name that is equal to the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, as well as the load-balanced FQDN and short name must be in the Subject Alternative Name (SAN) of the generated certificate.

Table 1. Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate Filename


  • lax01psc01.1.cer

  • lax01psc01.key

  • Root64.cer


  • lax01psc01.1.cer

  • lax01psc01.key

  • Root64.cer


  1. Open a Secure Shell (SSH) connection to the Platform Services Controller virtual machine.
    1. Open an SSH connection to lax01m01psc01.lax01.rainpole.local and log in with the following credentials.



      User name




  2. Change the Platform Services Controller command shell to the Bash shell to allow secure copy (scp) connections for the root user.

    chsh -s "/bin/bash" root

  3. Copy the generated certificates to the Platform Services Controllers.
    1. Run the following command to create a new temporary folder
      mkdir -p /root/certs
    2. Copy the certificate files lax01psc01.1.cer, lax01psc01.key, and Root64.cer to the /root/certs folder.

      You can use an scp software such as WinSCP.

  4. Replace the certificate on the Platform Services Controller instance.
    1. Start the vSphere Certificate Manager utility on Platform Services Controller.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate)
    3. Enter default vCenter Single Sign-On user name administrator@vsphere.local and  the vsphere_admin password.
    4. Select  Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /root/certs/lax01psc01.1.cer
    6. When prompted for the custom key, enter /root/certs/lax01psc01.key
    7. When prompted for the signing certificate, enter /root/certs/Root64.cer
    8. When prompted to Continue operation, enter Y.

      The Platform Services Controller services automatically restart.

  5. Verify that the new certificate has been installed successfully.
    1. Open a Web Browser and go to https://lax01m01psc01.lax01.rainpole.local.
    2. Verify that the Web browser shows the new certificate.
  6. After Certificate Manager replaces the certificate, restart the vami-lighttp service to update the certificate in the virtual application management interface (VAMI) of and to remove certificate files from Platform Services Controller.
    service vami-lighttp restart
    cd /root/certs
    rm lax01psc01.1.cer lax01psc01.key Root64.cer
  7. Switch the shell back to the appliance shell.
    chsh -s /bin/appliancesh root
  8. Redirect all traffic from the Compute and Edge Platform Services Controller to the Management Platform Services Controller. See Direct Traffic to Compute Platform Services Controller in Region A



    NSX Manager

    NSX Edge device


    Platform Services Controller to re-enable


    Platform Services Controller to disable



    • pool-1

    • pool-2

  9. Repeat the procedure to replace the certificate on lax01w01psc01.lax01.rainpole.local.