After you have received the signed certificate from the CA and made it the VMCA root certificate, you can replace all machine SSL certificates.
These steps are essentially the same as the steps for replacing with a certificate that uses VMCA as the certificate authority. However, in this case, VMCA signs all certificates with the full chain.
Each machine must have a machine SSL certificate for secure communication with other services. In a multi-node deployment, you must run the Machine SSL certificate generation commands on each node. Use the --server parameter to point to the Platform Services Controller from a vCenter Server with external Platform Services Controller.
Prerequisites
For each machine SSL certificate, the SubjectAltName must contain DNS Name=<Machine FQDN>.
Procedure
Example: Replacing Machine SSL Certificates (VMCA is Intermediate CA)
- Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory.
Country = US Name = vmca-<PSC-FQDN-example> Organization = VMware OrgUnit = VMware Engineering State = California Locality = Palo Alto Hostname = <FQDN>
- Generate a key pair for the machine SSL certificate. Run this command on each management node and Platform Services Controller node; it does not require a --server option.
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=ssl-key.priv --pubkey=ssl-key.pub
The ssl-key.priv and ssl-key.pub files are created in the current directory.
- Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain.
- On a Platform Services Controller node or embedded installation:
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg
- On a vCenter Server (external installation):
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg --server=<psc-ip-or-fqdn>
The new-vmca-ssl.crt file is created in the current directory.
- On a Platform Services Controller node or embedded installation:
- (Optional) List the content of VECS.
"C:\Program Files\VMware\vCenter Server\vmafdd\" vecs-cli store list
- Sample output on Platform Services Controller:
MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine
- Sample output on vCenter Server:
output (on vCenter): MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient sms
- Sample output on Platform Services Controller:
- Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names.
- On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store.
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv
- On each management node or embedded deployment, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for each machine separately because each has a different FQDN.
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv
- On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store.