To establish trusted connection with the other SDDC management components, you replace the default or expiring machine SSL certificate on each Platform Services Controller instance in the region with a custom certificate. The certificate, generated by the CertGenVVD utility, is signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate Active Directory (AD) server.

The machine certificate on both Platform Services Controller instances in the region must be the same because they are load-balanced according to this validated design. The certificate must have the same common name as the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, as well as the load-balanced FQDN and short name must be in the Subject Alternative Name (SAN) of the generated certificate.

Table 1. Certificate-Related Files on Platform Services Controller Instances

Platform Services Controller

Certificate Filename

sfo01m01psc01.sfo01.rainpole.local

  • sfo01psc01.1.cer

  • sfo01psc01.key

  • Root64.cer

sfo01w01psc01.sfo01.rainpole.local

  • sfo01psc01.1.cer

  • sfo01psc01.key

  • Root64.cer

Procedure

  1. Open a Secure SHell connection to the Platform Services Controller virtual machine.
    1. Open an SSH connection to sfo01m01psc01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      psc_root_password

  2. To allow secure copy (scp) connections for the root user, change the Platform Services Controller command shell to the Bash shell.
    shell
    chsh -s "/bin/bash" root
  3. Copy the generated certificates to the Platform Services Controller.
    1. To create a new temporary folder, run the following command.
      mkdir -p /root/certs
    2. Copy the certificate files sfo01psc01.1.cer, sfo01psc01.key, and Root64.cer to the /root/certs folder.

      You can use an scp software like WinSCP.

  4. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
    3. Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin password.
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /root/certs/sfo01psc01.1.cer.
    6. When prompted for the custom key, enter /root/certs/sfo01psc01.key.
    7. When prompted for the signing certificate, enter /root/certs/Root64.cer.
    8. When prompted to Continue operation, enter Y.

      The Platform Services Controller services automatically restart.

  5. Verify that the new certificate has been installed successfully.
    1. Open a Web Browser and go to https://sfo01m01psc01.sfo01.rainpole.local.
    2. Verify that the Web browser shows the new certificate.
  6. After Certificate Manager replaces the certificates, restart the vami-lighttp service to update the certificate in the virtual application management interface (VAMI) and to remove certificate files from Platform Services Controller.

    service vami-lighttp restart
    cd /root/certs
    rm sfo01psc01.1.cer sfo01psc01.key Root64.cer
    
  7. Switch the shell back to the appliance shell.
    chsh -s /bin/appliancesh root
  8. Redirect all traffic from the Compute and Edge Platform Services Controller to the Management Platform Services Controller. See Direct Traffic to Compute Platform Services Controller in Region A

    Setting

    Value

    NSX Manager

    172.16.11.65

    NSX Edge device

    sfo01psc01

    Platform Services Controller to re-enable

    sfo01m01psc01

    Platform Services Controller to disable

    sfo01w01psc01

    Pools

    • pool-1

    • pool-2

  9. Repeat the procedure to replace the certificate on sfo01w01psc01.sfo01.rainpole.local.