Search the VMware Knowledge Base (KB)
View by Article ID

Configuring certificates for PSC for High Availability in vSphere 6.5 (2147627)

  • 2 Ratings
Language Editions

Purpose

This article provides information on creating certificates to use in configuring Platform Service Controller High Availability.

Resolution

This article is part of a series for configuring PSC HA, for the main article, see Configuring Platform Service Controller HA in vSphere 6.5 (2147018).

Creating the certificate request

  1. Using a text editor, create the psc_ha_csr_cfg.cfg file with these entries:

    [ req ]
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req
    [ v3_req ]
    basicConstraints = CA:false
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
    [ req_distinguished_name ]
    countryName = Country
    stateOrProvinceName = State
    localityName = City
    0.organizationName = Company
    organizationalUnitName = Department
    commonName = psc-ha-vip.domain.com


    Notes:
    • The subjectAltName values should contain all PSC FQDNs that will participate in this HA Site, including the Load Balanced FQDN.
    • The commonName value should be the Load Balanced FQDN.

  2. Run this command to create a psc-ha-vip.csr and a psc-ha-vip.key file.

    openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg

    Note:  2048 bit key length private key is created with rsa:2048. This value can be increased, 2048 is the minimum supported key length.

Generating a certificate from the VMCA

  1. Run this command to create the certificate from the psc-ha-vip.csr and the the psc_ha_csr_cfg.cfg file outputting a psc-ha-vip.crt file.

    openssl x509 -req -days 3650 -in /certs/psc-ha-vip.csr -out /certs/psc-ha-vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg

  2. Run this command to copy the current VMCA root certificate and rename it to cachain.crt.

    cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt

  3. Run this command to create Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate named psc-ha-vip-chain.crt.

    cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/cachain.crt >> /certs/psc-ha-vip-chain.crt

Generating a certificate from an external certificate authority

  1. Provide the certificate signing request generated in the previous steps to preferred certificate authority. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority(2112014).
  2. Run these commands to create a certificate chain named psc-ha-vip-chain.crt, using Root CA, Machine SSL Certificate, and any Intermediate CA(s).

    Note: Depending on the certificate server configuration adding the CustomInterCA#.crt may not be needed.

    cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/CustomInterCA1.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/CustomInterCA2.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/CustomRootCA.crt >> /certs/psc-ha-vip-chain.crt


  3. If there is intermediate certificates, run these commands to create a cachain.crt of the intermediate certificates and the root certificate.

    cat /certs/CustomInterCA1.crt >> /certs/cachain.crt
    cat /certs/CustomInterCA2.crt >> /certs/cachain.crt
    cat /certs/CustomRootCA.crt >> /certs/cachain.crt

Preparing Certificates

Three certificates should have been created:
  • psc-ha-vip-chain.crt
  • psc-ha-vip.key
  • cachain.crt
Validate the certificate information
  1. Run this command to open the certificate:

    openssl x509 -in /certs/psc-ha-vip-chain.crt -noout -text

  2. Ensure that the Subject CN value is the correct Load Balanced FQDN.
  3. Ensure that the the DNS values contain all PSC FQDNs and Load Balancer FQDN.

Replacing the Certificates on the Platform Services Controller

  1. Launch the Certificate-Manager using this command:

    /usr/lib/vmware-vmca/bin/certificate-manager

  2. Select Option 1, then Option 2.
  3. Provide the paths to the psc-ha-vip-chain.crt, psc-ha-vip.key and cachain.crt files created in the Preparing Certificates section.

    For example:

    Please provide valid custom certificate for Machine SSL.
    File : /certs/psc-ha-vip-chain.crt
    Please provide valid custom key for Machine SSL.
    File : /certs/psc-ha-vip.key
    Please provide the signing certificate of the Machine SSL certificate
    File : /certs/cachain.crt
    Important: Replace the Machine SSL Certificate of the additional PSC using the same certificate.

See Also

Language Editions

ja,2148111;zh_cn,2148290;de,2148875

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 2 Ratings
Actions
KB: