This article is part of a series for configuring PSC HA, for the main article, see:
Creating the certificate request
- Connect to the vCenter Server or Platform Service Controller.
- Create a C:\certs\ folder.
- Create the psc_ha_csr_cfg.cfg file with these entries using a plain text editor:
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company
organizationalUnitName = Department
commonName = psc-ha-vip.domain.com
Notes:
- The subjectAltName values should contain all PSC FQDNs that will participate in this HA Site, including the Load Balanced FQDN.
- The commonName value should be the Load Balanced FQDN.
- Open an elevated command prompt.
- Run this command to create a psc-ha-vip.csr and a psc-ha-vip.key file.
"%VMWARE_OPENSSL_BIN%"openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg
Note: 2048 bit key length private key is created with rsa:2048. This value can be increased, 2048 is the minimum supported key length.
Generating a certificate from the VMCA
- Run this command to create the certificate from the psc-ha-vip.csr and the the psc_ha_csr_cfg.cfg files outputting a psc-ha-vip.crt file.
"%VMWARE_OPENSSL_BIN%"openssl.exe x509 -req -days 3650 -in C:\certs\psc-ha-vip.csr -out C:\certs\psc-ha-vip.crt -CA <path>root.cer -CAkey <path>privatekey.pem -extensions v3_req -CAcreateserial -extfile C:\certs\psc_ha_csr_cfg.cfg
- Run this command to copy the current VMCA root certificate and rename it to cachain.crt.
more C:\certs\root.cer >> C:\certs\cachain.crt
- Run this command to create Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate named psc-ha-vip-chain.crt.
more C:\certs\psc-ha-vip.crt >> C:\certs\psc-ha-vip-chain.crt
more C:\certs\cachain.crt >> C:\certs\psc-ha-vip-chain.crt
Generating a certificate from an external certificate authority
- Provide the certificate signing request generated in the previous steps to your preferred certificate authority. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority(2112014).
- Run these commands to create a certificate chain named psc-ha-vip-chain.crt, using the Root CA, Machine SSL Certificate, and any Intermediate CA(s).
Note: Depending on the certificate server configuration adding the CustomInterCA#.crt may not be needed.
more C:\certs\psc-ha-vip.crt >> C:\certs\psc-ha-vip-chain.crt
more C:\certs\CustomInterCA1.crt >> C:\certs\psc-ha-vip-chain.crt
more C:\certs\CustomInterCA2.crt >> C:\certs\psc-ha-vip-chain.crt
more C:\certs\CustomRootCA.crt >> C:\certs\psc-ha-vip-chain.crt
- If there is intermediate certificates, run these commands to create a cachain.crt of the intermediate certificates and the root certificate.
more C:\certs\CustomInterCA1.crt >> C:\certs\cachain.crt
more C:\certs\CustomInterCA2.crt >> C:\certs\cachain.crt
more C:\certs\CustomRootCA.crt >> C:\certs\cachain.crt
Preparing certificates
Three certificates should have been created
- psc-ha-vip-chain.crt
- psc-ha-vip.key
- cachain.crt
Validate the certificate information
- Run this command to open the certificate:
"%VMWARE_OPENSSL_BIN%"openssl.exe x509 -in C:\certs\psc-ha-vip-chain.crt -noout -text
- Ensure that the Subject CN value is the correct Load Balanced FQDN.
- Ensure that the the DNS values contain all PSC FQDNs and Load Balancer FQDN.
Replacing the Certificates on the Platform Services Controller
- Launch the Certificate-Manager with this command:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
- Select Option 1, then Option 2.
- Provide the paths to the psc-ha-vip-chain.crt, psc-ha-vip.key and cachain.crt files created in the Preparing Certificates section.
For example:
Please provide valid custom certificate for Machine SSL.
File : C:\certs\psc-ha-vip-chain.crt
Please provide valid custom key for Machine SSL.
File : C:\certs\psc-ha-vip.key
Please provide the signing certificate of the Machine SSL certificate
File : C:\certs\cachain.crt
Important: Replace the Machine SSL Certificate of the additional PSC using the same certificate.