After you receive the custom certificates, you can replace each machine certificate.
Each machine must have a machine SSL certificate for secure communication with other services. In a multi-node deployment, you must run the Machine SSL certificate generation commands on each node. Use the --server parameter to point to the Platform Services Controller from a vCenter Server with external Platform Services Controller.
You must have the following information before you can start replacing the certificates:
- Password for [email protected].
- Valid Machine SSL custom certificate (.crt file).
- Valid Machine SSL custom key (.key file).
- Valid custom certificate for Root (.crt file).
- If you are running the command on a vCenter Server with external Platform Services Controller in a multi-node deployment, IP address of the Platform Services Controller.
Prerequisites
You must have received a certificate for each machine from your third-party or enterprise CA.
- Key size: 2048 bits or more (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
- Contains the following Key Usages: Digital Signature, Key Encipherment
Procedure
Example: Replace Machine SSL Certificates with Custom Certificates
This example shows how to replace the machine SSL certificate with a custom certificate on a Windows installation. You can replace the machine SSL certificate on each node the same way.
- First, delete the existing certificate in VECS.
"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
- Next, add the replacement certificate.
"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert E:\custom-certs\ms-ca\signed-ssl\custom-w1-vim-cat-dhcp-094.eng.vmware.com.crt --key E:\custom-certs\ms-ca\signed-ssl\custom-x3-vim-cat-dhcp-1128.vmware.com.priv