Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates signed by the Microsoft certificate authority (MSCA) for all management products with a single operation.
For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215 and VMware Validated Design Planning and Preparation.
Provide a Window Server 2012 host that is part of the sfo01.rainpole.local domain.
Install an intermediate Certificate Authority server on the sfo01.rainpole.local domain.
- Log in to a Windows host that has access to your data center.
- Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
- In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
- Verify that the following properties are configured.
ORG=Rainpole Inc. OU=Rainpole.local LOC=NYC ST=NY CC=US CN=VMware_VVD keysize=2048
- Verify that the C:\CertGenVVD-version\ConfigFiles folder contains only the following files.
Table 1. Certificate Generation Files for ROBO
Host Name or Service in Consolidated SDDC
vRealize Log Insight
- Verify that each configuration file includes FQDNs and host names in the dedicated sections.
For example, the configuration file for the ROBO vCenter Server instance must contain the following properties:
[CERT] NAME=default ORG=default OU=default LOC=NYC ST=default CC=default CN=nyc01r01vc01.rainpole.local keysize=default [SAN] nyc01r01vc01.rainpole.local
- Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
- Grant permissions to run third-party PowerShell scripts.
- Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
- Generate MSCA-signed certificates.
.\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -inter
- In the C:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts subfolder.
- In C:\CertGenVVD-version\SignedByMSCACerts\Root64 subfolder, rename chainRoot64.cer to Root64.cer.
What to do next
Replace the product certificates with the certificates that the CertGenVVD utility has generated. See Replace Certificates of the Virtual Infrastructure Components in ROBO and Replace Certificates of the Operations Management Components in ROBO.