By using the Certificate Generation Utility for VMware Validated Design (CertGenVVD), generate certificates for the NSX-T Manager instances and cluster virtual IP that are signed by the Microsoft certificate authority (MSCA). You use these certificates for trusted communication between the NSX-T nodes and the other management components of the SDDC.

Procedure

  1. Log in to a Windows host that has access to your data center.
  2. Download the CertGenVVD-version.zip file from VMware Knowledge Base article 2146215 and extract the ZIP file to C:\CertGenVVD-version.
  3. In the C:\CertGenVVD-version folder, open the default.txt file in a text editor.
  4. Verify that the following properties are configured.
    ORG=Rainpole Inc. 
    OU=Rainpole.local 
    LOC=SFO 
    ST=CA 
    CC=US 
    CN=VMware_VVD 
    keysize=2048
    
  5. In the C:\CertGenVVD-version\ConfigFiles folder, create four text files named sfo01wnsx01a.txt, sfo01wnsx01b.txt, sfo01wnsx01c.txt, and sfo01wnsx01.txt with the following content.
    File Name File Content
    sfo01wnsx01a.txt
    [CERT] 
    NAME=default 
    ORG=default 
    OU=default 
    LOC=SFO 
    ST=default 
    CC=default 
    CN=sfo01wnsx01a.sfo01.rainpole.local 
    keysize=default 
    [SAN] 
    sfo01wnsx01a
    sfo01wnsx01a.sfo01.rainpole.local
    sfo01wnsx01b.txt
    [CERT] 
    NAME=default 
    ORG=default 
    OU=default 
    LOC=SFO 
    ST=default 
    CC=default 
    CN=sfo01wnsx01b.sfo01.rainpole.local 
    keysize=default 
    [SAN] 
    sfo01wnsx01b
    sfo01wnsx01b.sfo01.rainpole.local
    sfo01wnsx01c.txt
    [CERT] 
    NAME=default 
    ORG=default 
    OU=default 
    LOC=SFO 
    ST=default 
    CC=default 
    CN=sfo01wnsx01c.sfo01.rainpole.local 
    keysize=default 
    [SAN] 
    sfo01wnsx01c
    sfo01wnsx01c.sfo01.rainpole.local
    sfo01wnsx01.txt
    [CERT] 
    NAME=default 
    ORG=default 
    OU=default 
    LOC=SFO 
    ST=default 
    CC=default 
    CN=sfo01wnsx01.sfo01.rainpole.local 
    keysize=default 
    [SAN] 
    sfo01wnsx01
    sfo01wnsx01.sfo01.rainpole.local
  6. To open a Windows PowerShell terminal as administrator, click Start, right-click Windows PowerShell, and select More > Run as Administrator.
  7. Configure the PowerShell execution policy with the permissions required for running commands.
    Set-ExecutionPolicy Unrestricted
  8. Verify if the CertGenVVD utility is configured for the generation.
    cd c:\CertGenVVD-version 
    .\CertGenVVD-version.ps1 -validate
  9. Generate the MCSA-signed certificate.
    .\CertGenVVD-version.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
  10. Navigate to the C:\CertGenVVD-version folder and verify that the SignedByMSCACerts folder contains the certificates for the NSX-T Manager nodes and for the virtual IP of the cluster.