Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates signed by the Microsoft certificate authority (MSCA) for all management products with a single operation.

For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215 and VMware Validated Design Planning and Preparation.

Prerequisites

  • Provide a Window Server 2012 host that is part of the sfo01.rainpole.local domain.

  • Install an intermediate Certificate Authority server on the sfo01.rainpole.local domain.

Procedure

  1. Log in to a Windows host that has access to your data center.
  2. Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
  3. In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that the following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=NYC
    ST=NY
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that the C:\CertGenVVD-version\ConfigFiles folder contains only the following files.
    Table 1. Certificate Generation Files for ROBO

    SDDC Layer

    Host Name or Service in Consolidated SDDC

    Configuration Files

    Virtual Infrastructure

    vCenter Server

    nyc01r01vc01.rainpole.local

    nyc01r01vc01.txt

    NSX Manager

    nyc01r01nsx01.rainpole.local

    nyc01r01nsx01.txt

    Operations Management

    vRealize Log Insight

    • nyc01vrli01.rainpole.local

    • nyc01vrli01a.rainpole.local

    • nyc01vrli01b.rainpole.local

    • nyc01vrli01c.rainpole.local

    vrli-nyc01.txt

  6. Verify that each configuration file includes FQDNs and host names in the dedicated sections.

    For example, the configuration file for the ROBO vCenter Server instance must contain the following properties:

    nyc01r01vc01.txt

    [CERT] 
    NAME=default
    ORG=default 
    OU=default
    LOC=NYC
    ST=default
    CC=default
    CN=nyc01r01vc01.rainpole.local
    keysize=default
    [SAN]
    nyc01r01vc01.rainpole.local
  7. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
    cd C:\CertGenVVD-version
  8. Grant permissions to run third-party PowerShell scripts.
    Set-ExecutionPolicy Unrestricted
  9. Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
    .\CertgenVVD-version.ps1 -validate
  10. Generate MSCA-signed certificates.
    .\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -inter
  11. In the C:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts subfolder.
  12. In C:\CertGenVVD-version\SignedByMSCACerts\Root64 subfolder, rename chainRoot64.cer to Root64.cer.

What to do next

Replace the product certificates with the certificates that the CertGenVVD utility has generated. See Replace Certificates of the Virtual Infrastructure Components in ROBO and Replace Certificates of the Operations Management Components in ROBO.