Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates signed by the Microsoft certificate authority (MSCA) for all management product with a single operation.

For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215.

Prerequisites

  • Provide a Window Server 2012 host that is part of the sfo01.rainpole.local domain.
  • Install a Certificate Authority server on the rainpole.local domain.

Procedure

  1. Log in to a Windows host that has access to your data center.
  2. Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
  3. In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=SFO
    ST=CA
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that the C:\CertGenVVD-version\ConfigFiles folder contains only the following files.
    Table 1. Certificate Generation Files for Region A
    Host Name or Service in Region A Configuration Files
    Virtual Infrastructure Layer
    Platform Services Controller
    • sfo01psc01.sfo01.rainpole.local
    • sfo01m01psc01.sfo01.rainpole.local
    • sfo01w01psc01.sfo01.rainpole.local
    sfo01psc01.txt
    vCenter Server sfo01m01vc01.sfo01.rainpole.local sfo01m01vc01.txt
    sfo01w01vc01.sfo01.rainpole.local sfo01w01vc01.txt
    NSX Manager sfo01m01nsx01.sfo01.rainpole.local sfo01m01nsx01.txt
    sfo01w01nsx01.sfo01.rainpole.local sfo01w01nsx01.txt
    Operations Management Layer
    vRealize Suite Lifecycle Manager vrslcm01svr01a.rainpole.local vrslcm.txt
    vRealize Operations Manager
    • vrops01svr01.rainpole.local
    • vrops01svr01a.rainpole.local
    • vrops01svr01b.rainpole.local
    • vrops01svr01c.rainpole.local
    vrops.txt
    vRealize Log Insight
    • sfo01vrli01.sfo01.rainpole.local
    • sfo01vrli01a.sfo01.rainpole.local
    • sfo01vrli01b.sfo01.rainpole.local
    • sfo01vrli01c.sfo01.rainpole.local
    vrli.sfo01.txt
    Cloud Management Platform Layer
    vRealize Automation
    • vra01svr01.rainpole.local
    • vra01svr01a.rainpole.local
    • vra01svr01b.rainpole.local
    • vra01svr01c.rainpole.local
    • vra01iws01.rainpole.local
    • vra01iws01a.rainpole.local
    • vra01iws01b.rainpole.local
    • vra01ims01.rainpole.local
    • vra01ims01a.rainpole.local
    • vra01ims01b.rainpole.local
    • vra01dem01a.rainpole.local
    • vra01dem01b.rainpole.local
    vra.txt
    vRealize Business Server vrb01svr01.rainpole.local vrb.txt
    Business Continuity Layer
    Site Recovery Manager and vSphere Replication sfo01m01srm01.sfo01.rainpole.local sfo01m01srm01.txt
    sfo01m01vrms01.sfo01.rainpole.local sfo01m01vrms01.txt
    Table 2. Certificate Generation Files for Region B
    Host Name or Service in Region B Configuration Files
    Virtual Infrastructure Layer
    Platform Services Controller
    • lax01psc01.lax01.rainpole.local
    • lax01m01psc01.lax01.rainpole.local
    • lax01w01psc01.lax01.rainpole.local
    lax01psc01.txt
    vCenter Server lax01m01vc01.lax01.rainpole.local lax01m01vc01.txt
    lax01w01vc01.lax01.rainpole.local lax01w01vc01.txt
    NSX Manager lax01m01nsx01.lax01.rainpole.local lax01m01nsx01.txt
    lax01w01nsx01.lax01.rainpole.local lax01w01nsx01.txt
    Operations Management Layer
    vRealize Log Insight
    • lax01vrli01.lax01.rainpole.local
    • lax01vrli01a.lax01.rainpole.local
    • lax01vrli01b.lax01.rainpole.local
    • lax01vrli01c.lax01.rainpole.local
    vrli.lax01.txt
    Business Continuity Layer
    Site Recovery Manager and vSphere Replication lax01m01srm01.lax01.rainpole.local lax01m01srm01.txt
    lax01m01vrms01.lax01.rainpole.local lax01m01srm01.txt
  6. Verify that each configuration file includes FQDNs and host names in the dedicated sections.
    For example, the configuration files for the Platform Service Controller instance must contain the following properties:
    sfo01psc01.txt lax01psc01.txt
    [CERT]
    NAME=default
    ORG=default
    OU=default
    LOC=SFO
    ST=default 
    CC=default 
    CN=sfo01psc01.sfo01.rainpole.local
    keysize=default
    [SAN]
    sfo01psc01
    sfo01m01psc01
    sfo01w01psc01
    sfo01psc01.sfo01.rainpole.local
    sfo01m01psc01.sfo01.rainpole.local
    sfo01w01psc01.sfo01.rainpole.local
    
    [CERT]
    NAME=default
    ORG=default
    OU=default
    LOC=LAX
    ST=default 
    CC=default 
    CN=lax01psc01.lax01.rainpole.local
    keysize=default
    [SAN]
    lax01psc01
    lax01m01psc01
    lax01w01psc01
    lax01psc01.lax01.rainpole.local
    lax01m01psc01.lax01.rainpole.local
    lax01w01psc01.lax01.rainpole.local
    
  7. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
    cd C:\CertGenVVD-version
  8. Grant permissions to run third-party PowerShell scripts.
    Set-ExecutionPolicy Unrestricted
  9. Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
    .\CertgenVVD-version.ps1 -validate
  10. Generate MSCA-signed certificates.
    .\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' 
  11. In the C:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts subfolder.