The Certificate Generation Utility for VMware Validated Designs (CertGenVVD) is a command-line utility that you can use to generate custom certificates for the products that you use to build a Software-Defined Data Center (SDDC) based on VMware Validated Design for Software-Defined Data Center. Use the utility to reduce the number of steps for end-to-end certificate replacement.
CertGenVVD is written in PowerShell. It operates according to the settings in a configuration file and generates custom SSL certificates that can be signed by the following enterprise certificate authorities (CAs):
For information about certificate replacement during SDDC deployment, see VMware Validated Design Architecture and Design and VMware Validated Design Planning and Preparation from the VMware Validated Designs Documentation.
Version 3.0.4 of the CertGenVVD utility provides the following new features:
Platform Component
|
Required Version
|
Operating system | Windows Server 2016 or 2012 R2 Standard Windows Server 2016 or 2012 R2 Datacenter |
Java SE Development Kit (JDK) | 1.7 or later |
OpenSSL | 1.0.2q or later |
Product Version | Compatibility | CertGenVVD Version |
VMware Validated Design for Software-Defined Data Center 5.0.x | Yes | CertGenVVD 3.0.4 |
VMware Validated Design for Software-Defined Data Center 4.x | Yes | CertGenVVD 3.0.4 |
File or Folder
|
Description
|
default.txt
|
This file contains default values for the attributes Organization, Organization Unit, Location, State, Country, Common Name and Certificate Key Size for CSR generation.
|
CertgenVVD-3.0.4.ps1
|
This PowerShell script generate certificates.
|
CertConfig-1.1.3.ps1 | This PowerShell script generates configuration files for the certificates. |
RegionA-Hosts.csv RegionB-Hosts.csv | Configuration CSVs to match a VMware Validated Design. These can be used as a sample for your environment. |
ConfigFilesSamples
|
This folder contains a configuration file samples for each product. You can use the configuration files without modifications unless you use different hostnames or cluster IP addresses in your deployment. For example, the configuration file for VMware vCenter Server contains the following settings: [CERT] NAME=default ORG=default OU=default LOC=SFO ST=default CC=default CN=sfo01m01vc01.sfo01.rainpole.local keysize=default [SAN] sfo01m01vc01 sfo01m01vc01.sfo01.rainpole.local In the [CERT] section, if a property value is equal to default, the utility uses the value that is defined in default.txt. Default certificate key size is set to 2048, except for the vRealize Operations Manager certificate. In vrops.txt, the key size for the vRealize Operations Manager is set to 4096. |
Product Name | Certificate Requirements |
ESXi | Replacing ESXi SSL Certificates and Keys in the vSphere Security documentation |
vCenter Server and Platform Services Controller | Use Custom Certificates with vSphere in the Platform Services Controller Administration documentation |
NSX for vSphere | NSX Manager SSL Certification in NSX Administration Guide |
vRealize Automation | Updating vRealize Automation Certificates in the Managing vRealize Automation documentation |
vRealize Orchestrator | Manage Certificates in the Installing and Configuring VMware vRealize Orchestrator documentation |
vRealize Business | Change or Replace the SSL Certificate of vRealize Business for Cloud in the vRealize Business Install Guide |
vRealize Operations Manager | Custom vRealize Operations Manager Certificate Requirements in the Installing vRealize Operations Manager documentation |
vRealize Log Insight | Install a Custom SSL Certificate from the Administering vRealize Log Insight documentation |
vRealize Suite Lifecycle Manager | Replace Certificate on the vRealize Suite Lifecycle Manager Appliance from the VMware Validated Design documentation |
vSphere Replication | Change the SSL Certificate of the vSphere Replication Appliance in the vSphere Replication Administration documentation |
Site Recovery Manager | Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager in the Site Recovery Manager Installation and Configuration documentation |
To run the CertGenVVD utility, you must meet specific requirements on the Windows system on which you run the utility.
Although non-administrator users can download and launch the tool, all operations fail if you do not have the proper permissions.
Column | Description |
Name | Description of row. This will not be used in the configuration file. |
DNS* | Short names of the components. Can be added as many as necessary. |
DOMAIN | Domain name for your organization. |
IPAddress | Certain products require IP addresses in the Certificate. Use this section if necessary. |
FileName | Folder and file names of the generated configuration file. It will not affect the actual contents of the certificate. |
.\CertConfig-1.1.3.ps1 RegionA-Hosts.csv
.\CertGenVVD-3.0.4.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'
The certificates are signed by a Microsoft CA according to the requirements of the validated design.
The generated certificates are saved to the certgenvvd_home_dir\SignedByMSCACerts folder in multiple formats according to the certificate requirements of the SDDC management components, that is, in X.509, PEM, PKCS#12 and PKCS#7.
The CertGenVVD utility configures the certificate chain files with the password that you specified during the generation.
.\CertGenVVD-3.0.4.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -intermediate
.\CertGenVVD-3.0.4.ps1 -CSR
copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer
The CertGenVVD utility also supports options for generating certificate-related files that do not strictly comply with VMware Validated Designs.
Option
|
Command
|
View help | .\CertgenVVD-3.0.4.ps1 -help|h |
Validate the readiness of the machine on which you plan to run the CertGenVVD utility | .\CertgenVVD-3.0.4.ps1 -validate|v |
Only generate a certificate signed by OpenSSL Root CA | .\CertgenVVD-3.0.4.ps1 -openSSL | openSSLCASigned |
Generate all supported certificate file types, that is, CSRs, OpenSSL CA-signed certificates, and Microsoft CA-signed certificates | .\CertgenVVD-3.0.4.ps1 -all |