To establish a trusted connection with the other SDDC management components, you replace the machine SSL certificate on each Platform Services Controller instance in Region B with a custom certificate signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate Active Directory (AD) server.

The machine certificate on both Platform Services Controller instances in the region must be the same because they are load-balanced according to this Validated Design. The certificate must have a common name that is equal to the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, as well as the load-balanced FQDN and short name must be in the Subject Alternative Name (SAN) of the generated certificate.
Table 1. Certificate-Related Files on Platform Services Controllers
Platform Services Controller Certificate Filename
lax01m01psc01.lax01.rainpole.local
  • lax01psc01.1.cer
  • lax01psc01.key
  • Root64.cer
lax01w01psc01.lax01.rainpole.local
  • lax01psc01.1.cer
  • lax01psc01.key
  • Root64.cer

Prerequisites

  • CA-signed certificate files generated by using VMware Validated Design Certificate Generation Utility (CertGenVVD). See the VMware Validated Design Planning and Preparation documentation.
  • A Windows host with an SSH terminal access software such as PuTTY and an scp software such as WinSCP installed.

Procedure

  1. Open a Secure Shell (SSH) connection to the Platform Services Controller virtual machine.
    1. Open an SSH connection to lax01m01psc01.lax01.rainpole.local and log in with the following credentials.
      Setting Value
      User name root
      Password mgmtpsc_root_password
  2. Change the Platform Services Controller command shell to the Bash shell to allow secure copy (scp) connections for the root user.
    shell
    chsh -s "/bin/bash" root
  3. Copy the generated certificates to the Platform Services Controllers.
    1. Run the following command to create a new temporary folder
      mkdir -p /root/certs
    2. Copy the certificate files lax01psc01.1.cer, lax01psc01.key, and Root64.cer to the /root/certs folder.
      You can use an scp software such as WinSCP.
  4. Replace the certificate on the Platform Services Controller instance.
    1. Start the vSphere Certificate Manager utility on Platform Services Controller.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate)
    3. Enter default vCenter Single Sign-On user name administrator@vsphere.local and  the vsphere_admin password.
    4. Select  Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /root/certs/lax01psc01.1.cer
    6. When prompted for the custom key, enter /root/certs/lax01psc01.key
    7. When prompted for the signing certificate, enter /root/certs/Root64.cer
    8. When prompted to Continue operation, enter Y.
      The Platform Services Controller services automatically restart.
  5. After Certificate Manager replaces the certificate, restart the vami-lighttp service to update the certificate in the virtual application management interface (VAMI) of and to remove certificate files from Platform Services Controller.
    service vami-lighttp restart
    cd /root/certs
    rm lax01psc01.1.cer lax01psc01.key Root64.cer
  6. Switch the shell back to the appliance shell.
    chsh -s /bin/appliancesh root
  7. Repeat the procedure to replace the certificate on lax01w01psc01.lax01.rainpole.local.