The Certificate Generation Utility for VMware Validated Designs (CertGenVVD) is a PowerShell utility that you can use to generate custom certificates for the products that you use to build a Software-Defined Data Center (SDDC) based on VMware Validated Design for Software-Defined Data Center. Use the utility to reduce the number of steps for end-to-end certificate replacement.
CertGenVVD is written in PowerShell. It operates according to the settings in a configuration file and generates custom SSL certificates that can be signed by the following enterprise certificate authorities (CAs):
For information about certificate replacement during SDDC deployment, see VMware Validated Design Architecture and Design and VMware Validated Design Planning and Preparation from the VMware Validated Designs Documentation.
Version 5.0 of the CertGenVVD utility provides the following new features:
The CertGenVVD utility requires a Windows operating system with the following installed.
Platform Component | Required Version |
---|---|
Operating system | Windows Server 2016 or 2012 R2 |
OpenSSL | 1.0.2q or later |
Visual C++ Redistributable Packages | 2013 |
CertGenVVD requires an OpenSSL binary for Windows, which can be compiled from OpenSSL.org. Additionally, the OpenSSL Wiki page (https://wiki.openssl.org/index.php/Binaries) has a list of pre-compiled windows binaries compiled by the 3rd parties. Read all security disclosures and disclaimers when using binaries compiled by 3rd parties. The recommended 3rd party binary is Win64 OpenSSL v1.0.2q Light since this does not include the unnecessary OpenSSL source code.
Before executing CertGenVVD, ensure that the path for the OpenSSL binary for Windows is set in the PATH environment variable and that the Microsoft Visual C++ Redistributable Packages for Visual Studio 2013 is installed.
The CertGenVVD utility is compatible with certain versions of VMware Validated Design for Software-Defined Data Center.
Product Version | Compatibility | CertGenVVD Version |
---|---|---|
VMware Validated Design for Software-Defined Data Center 5.1.x | Yes | CertGenVVD 5.0 |
The CertGenVVD utility consists of a PowerShell script and configuration files that you can update according to the requirements of your environment.
File or Folder | Description |
CertgenVVD-5.0.version.ps1 | This PowerShell script generate certificates. |
RegionA-Hosts.csv RegionB-Hosts.csv Consolidated-Hosts.csv Robo-Hosts.csv | Configuration CSVs to match a VMware Validated Design. These can be used as a sample for your environment. |
The CertGenVVD utility is compliant with the certificate requirements of the SDDC management products that are used in VMware Validated Designs.
For more information about the certificate requirements of each product in this VMware Validated Design, see the documentation for the VMware product versions included in this design using the links in this table. For information about the product versions that are included in VMware Validated Design 5.1.x, see VMware Validated Design for Software-Defined Data Center 5.1.x Release Notes .
Product Name | Certificate Requirements |
vCenter Server and Platform Services Controller | Use Custom Certificates with vSphere in the Platform Services Controller Administration documentation |
NSX for vSphere | NSX Manager SSL Certification in the NSX Administration Guide |
vRealize Automation | Updating vRealize Automation Certificates in the Managing vRealize Automation documentation |
vRealize Business | Change or Replace the SSL Certificate of vRealize Business for Cloud in the vRealize Business Install Guide |
vRealize Operations Manager | Custom vRealize Operations Manager Certificate Requirements in the Installing vRealize Operations Manager documentation |
vRealize Log Insight | Install a Custom SSL Certificate in the Administering vRealize Log Insight documentation |
vRealize Suite Lifecycle Manager | Replace Certificate on the vRealize Suite Lifecycle Manager Appliance in the vRealize Suite Lifecycle Manager documentation |
vSphere Replication | Change the SSL Certificate of the vSphere Replication Appliance in the vSphere Replication Administration documentation |
Site Recovery Manager | Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager in the Site Recovery Manager Installation and Configuration documentation |
To run the CertGenVVD utility, you must meet specific requirements on the Windows system on which you run the utility.
Although non-administrator users can download and launch the tool, operations may fail if you do not have the correct permissions.
To use the CertGenVVD tool with versions 5.1.x of VMware Validated Design, from the Attachments section download the version-specific .zipfile that contains the configuration files for the version, and then extract and replace the content to a local directory.
Column | Description |
---|---|
Name | Description of each row. This will not be used in the configuration file and should not be altered. |
DNS* | Short names of the components. Add the NET Bios name for each component node. |
DOMAIN | Domain name for your organization. |
FileName | Folder name for all generated files. It will not affect the actual contents of the certificate. |
.\CertGenVVD-5.0.ps1
Note:If you are using VMware Cloud Builder to deploy your VMware Validated Design, this password should match the password entered in the Certificate Management section of the Deploy Parameters tab in the Cloud Builder Deployment Parameters spreadsheet.
The certificates are signed by a Microsoft CA according to the requirements of the validated design.
The generated certificates are saved to the certgenvvd_home_dir\SignedByMSCACertsfolder in multiple formats according to the certificate requirements of the SDDC management components, that is, in X.509, PEM, PKCS#12 and PKCS#7.
The CertGenVVD utility configures the certificate chain files with the password that you specified during the generation.
CertGenVVD supports intermediate Microsoft certificate authorities and does not need access to the root certificate authority. CertGenVVD concatenates the certificates of all of the certificate authorities into the certificate chain.
.\CertGenVVD-5.0.ps1
Note: Inspect the intermediate CA certificate and look for the "Issued By" value. Full path will be "Issuing-CA-FQDN\Issued-By-Value."
.\CertGenVVD-5.0.ps1
copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer
.\CertGenVVD-5.0.ps1
Additional options available
Option | Command |
---|---|
View help | h |
Validate the readiness of the machine on which you plan to run the CertGenVVD utility | v |