Use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates signed by the Microsoft certificate authority (MSCA) for all management product with a single operation.

For information about the VMware Validated Design Certificate Generation Utility, see VMware Knowledge Base article 2146215.

Prerequisites

  • Provide a Window Server 2012 host that is part of the rainpole.local domain.

  • Install a Certificate Authority server on the rainpole.local domain.

Procedure

  1. Log in to a Windows host that has access to your data center.
  2. Download the CertGenVVD-version.zip file of the Certificate Generation Utility from VMware Knowledge Base article 2146215 on the Windows host where you connect to the data center and extract the ZIP file to the C: drive.
  3. In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that following properties are configured.
    ORG=Rainpole Inc.
    OU=Rainpole.local
    LOC=NYC
    ST=NY
    CC=US
    CN=VMware_VVD
    keysize=2048
  5. Verify that the C:\CertGenVVD-version\ConfigFiles folder contains only the following files.
    Table 1. Certificate Generation Files for ROBO

    Host Name or Service in ROBO

    Configuration Files

    Virtual Infrastructure Layer

    vCenter Server

    nyc01r01vc01.rainpole.local

    nyc01r01vc01.txt

    NSX Manager

    nyc01r01nsx01.rainpole.local

    nyc01r01nsx01.txt

    Operations Management Layer

    vRealize Log Insight

    • nyc01vrli01.rainpole.local

    • nyc01vrli01a.rainpole.local

    • nyc01vrli01b.rainpole.local

    • nyc01vrli01c.rainpole.local

    nyc01vrli01.txt

  6. Verify that each configuration file includes FQDNs and host names in the dedicated sections.

    For example, the configuration files for the vCenter Server instance must contain the following properties:

    nyc01r01vc01.txt

    [CERT]
    NAME=default
    ORG=default
    OU=default
    LOC=NYC
    ST=default 
    CC=default 
    CN=nyc01r01vc01.rainpole.local
    keysize=default
    [SAN]
    nyc01r01vc01
    nyc01r01vc01.rainpole.local
  7. Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
    cd C:\CertGenVVD-version
  8. Grant permissions to run third-party PowerShell scripts.
    Set-ExecutionPolicy Unrestricted
  9. Validate if you can run the utility using the configuration on the host and verify if VMware is included in the printed CA template policy.
    .\CertgenVVD-version.ps1 -validate
  10. Generate MSCA-signed certificates.
    .\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' 
  11. In the C:\CertGenVVD-version folder, verify that the utility created the SignedByMSCACerts subfolder.