To establish trusted connection with the other SDDC management components, you replace the machine SSL certificate on each vCenter Server instance in Region B with a custom certificate signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate AD server.

Table 1. Certificate-Related Files on the vCenter Server Instance
vCenter Server FQDN Files for Certificate Replacement
lax01w01vc01.lax01.rainpole.local
  • lax01w01vc01.key
  • lax01w01vc01.1.cer
  • Root64.cer

Prerequisites

  • CA-signed certificate files generated by using VMware Validated Design Certificate Generation Utility (CertGenVVD). See the VMware Validated Design Planning and Preparation documentation.
  • A Windows host with an SSH terminal access software such as PuTTY and an scp software such as WinSCP installed.

Procedure

  1. Log in to Compute vCenter Server by using Secure Shell (SSH) client.
    1. Open an SSH connection to the virtual machine lax01w01vc01.lax01.rainpole.local.
    2. Log in using the following credentials.
      Setting Value
      User name root
      Password vcenter_server_root_password
  2. Change the vCenter Server appliance command shell to the Bash shell to allow secure copy (SCP) connections for the root user.
    shell
    chsh -s "/bin/bash" root
  3. Copy the generated certificates to the vCenter Server Appliance.
    1. Run the following command to create a new temporary folder.
      mkdir -p /root/certs
    2. Copy the certificate files lax01w01vc01.1.cer, lax01w01vc01.key, and Root64.cer to the /root/certs folder.
      You can use an SCP software such as WinSCP.
  4. Replace the CA-signed certificate on the vCenter Server instance.
    1. Start the vSphere Certificate Manager utility on the vCenter Server instance.
      /usr/lib/vmware-vmca/bin/certificate-manager
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin_password password.
    3. When prompted for the infrastructure server IP, enter the IP address of the Platform Services Controller that manages this vCenter Server instance.
      Option IP Address of Connected Platform Services Controller
      lax01w01vc01.lax01.rainpole.local 172.17.11.71
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted, provide the full path to the custom certificate, the root certificate file, and the key file that you copied over earlier, and confirm the import with Yes (Y).
      vCenter Server Input to the vSphere Certificate Manager Utility
      lax01w01vc01.lax01.rainpole.local

      Please provide valid custom certificate for Machine SSL.

      File : /root/certs/lax01w01vc01.1.cer

      Please provide valid custom key for Machine SSL.

      File : /root/certs/lax01w01vc01.key

      Please provide the signing certificate of the Machine SSL certificate.

      File : /root/certs/Root64.cer

  5. After Status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.
  6. Restart the vami-lighttp service to update the certificate on the virtual appliance management interface (VAMI) and to remove certificate files.
    service vami-lighttp restart
    cd /root/certs/
    rm lax01w01vc01.1.cer lax01w01vc01.key Root64.cer