After you receive the custom certificates, you can replace each machine certificate.
You must have the following information before you can start replacing the certificates:
- Password for firstname.lastname@example.org
- Valid Machine SSL custom certificate (.crt file)
- Valid Machine SSL custom key (.key file)
- Valid custom certificate for Root (.crt file)
You must have received a certificate for each machine from your third-party or enterprise CA.
- Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
- Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
- Stop all services and start the services that handle certificate creation, propagation, and storage.
service-control --stop --all service-control --start vmafdd service-control --start vmdird service-control --start vmcad
- Log in to each node and add the new machine certificates that you received from the CA to VECS.
All machines need the new certificate in the local certificate store to communicate over SSL.
vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert <cert-file-path> --key <key-file-path>
- Restart all services.
service-control --start --all
Example: Replace Machine SSL Certificates with Custom Certificates
This example shows how to replace the machine SSL certificate with a custom certificate. You can replace the machine SSL certificate on each node the same way.
- First, delete the existing certificate in VECS.
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
- Next, add the replacement certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /tmp/custom-certs/ms-ca/signed-ssl/custom-w1-vim-cat-dhcp-094.eng.vmware.com.crt --key /tmp/custom-certs/ms-ca/signed-ssl/custom-x3-vim-cat-dhcp-1128.vmware.com.priv