Search the VMware Knowledge Base (KB)
View by Article ID

Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center (2146215)

  • 6 Ratings

Purpose

About Certificate Generation Utility for VMware Validated Designs

The Certificate Generation Utility for VMware Validated Designs (CertGenVVD) is a command-line utility that you can use to generate custom certificates for the products that you use to build a Software-Define Data Center (SDDC) based on VMware Validated Design for Software-Defined Data Center. Use the utility to reduce the number of steps for end-to-end certificate replacement.

CertGenVVD is based on PowerShell. It operates according to the settings in a configuration file and generates custom SSL certificates that can be signed by the following enterprise certificate authorities (CAs):

  • Microsoft Certificate Authority
  • OpenSSL Certificate Authority

If your environment requires custom SSL certificates that must be signed by a trusted third-party CA, you can use the CertGenVVD tool to generate a Certificate Signing Request (CSR) and have it signed by the third-party CA.

For information about certificate replacement during SDDC deployment, see VMware Validated Design Architecture and Design and VMware Validated Design Deployment for Region A from the VMware Validated Designs Documentation.

What's new in the CertGenVVD utility

Version 3.0 of the CertGenVVD utility provides the following new features:

  • Support for an intermediate certificate authority
  • Certificate generation to support VMware Validated Design for Remote Office and Branch Office

Supported platforms

You run the CertGenVVD utility on a Windows operating systems that has the Java SE Development Kit and OpenSSL installed.
Platform Component
Required Version
Operating system
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 R2 Datacenter
Java SE Development Kit (JDK)1.7 or later
OpenSSL1.0.2d or later

Compatibility

The CertGenVVD utility is compatible with certain versions of VMware Validated Design for Software-Defined Data Center.
Product VersionCompatibilityCertGenVVD Version
VMware Validated Design for Remote Office and Branch Office 4.0.xYesCertGenVVD 3.0
VMware Validated Design for Software-Defined Data Center 4.0.xYesCertGenVVD 3.0
VMware Validated Design for Software-Defined Data Center 3.0.xYesCertGenVVD 3.0
VMware Validated Design for Software-Defined Data Center 2.0YesCertGenVVD 3.0
VMware Validated Design for Software-Defined Data Center 1.0NoNone




Note: VMware Validated Design for Software-Defined Data Center 1.0 is available to customers as a certified VMware partner program or with the help of VMware Professional Services.

Utility File Structure

The CertGenVVD utility consists of a PowerShell script and configuration files that you can update according to the requirements of your environment.
File or Folder
Description
default.txt
This file contains default values for the attributes Organization, Organization Unit, Location, State, Country, Common Name and Certificate Key Size for CSR generation.
CertgenVVD-3.0.ps1
This script runs the utility on Windows PowerShell.
ConfigFiles

This folder contains a configuration file for each product. You can use the configuration files without modifications, unless you use different host names or cluster IP addresses in your deployment.

For example, the configuration file for vRealize Log Insight contains the following settings:

[CERT]
NAME=default
ORG=default
OU=default
LOC=SFO
ST=default
CC=default
CN=vrli-cluster-01.sfo01.rainpole.local
keysize=default [SAN]
vrli-cluster-01
vrli-mstr01
vrli-wrkr01
vrli-wrkr02
vrli-cluster-01.sfo01.rainpole.local
vrli-mstr01.sfo01.rainpole.local
vrli-wrkr01.sfo01.rainpole.local
vrli-wrkr02.sfo01.rainpole.local

In the [CERT] section, if a property value is equal to default, the utility uses the value that is defined in default.txt.

Default certificate key size is set to 2048, except for the vRealize Operations Manager certificate. In vrops.txt, the key size for the vRealize Operations Manager is set to 4096.

Certificate Requirements

The CertGenVVD utility is compliant with the certificate requirements of the SDDC management products that are used in VMware Validated Designs.

Certificate Requirements for VMware Validated Design for Software-Defined Data Center 4.0

For more information about the certificate requirements of each product in this VMware Validated Design, see the documentation for the VMware product versions included in this design using the links in this table. For information about the product versions that are included in this VMware Validated Design 4.0, see VMware Validated Design for Software-Defined Data Center 4.0 Release Notes.

Product Name
Certificate Requirements
ESXi
Replacing ESXi SSL Certificates and Keys in the vSphere Security documentation
vCenter Server and Platform Services Controller
Use Custom Certificates with vSphere in the Platform Services Controller Administration documentation
NSX for vSphere
NSX Manager SSL Certification in NSX Administration Guide
vSphere Data Protection
vRealize Automation
Updating vRealize Automation Certificates in the Managing vRealize Automation documentation
vRealize Orchestrator
Manage Certificates in the Installing and Configuring VMware vRealize Orchestrator documentation
vRealize Business
vRealize Operations Manager
Custom vRealize Operations Manager Certificate Requirements in the Installing vRealize Operations Manager documentation
vRealize Log Insight
Install a Custom SSL Certificate from the Administering vRealize Log Insight documentation
vSphere Replication
Change the SSL Certificate of the vSphere Replication Appliance in the vSphere Replication Administration documentation
Site Recovery Manager
Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager in the Site Recovery Manager Installation and Configuration documentation

 

Certificate Requirements for VMware Validated Design for Software-Defined Data Center 3.0.2

For more information about the certificate requirements of each product in this VMware Validated Design, see the documentation for the VMware product versions included in this design using the links in this table. For information about the product versions that are included in this VMware Validated Design 3.0.2, see VMware Validated Design for Software-Defined Data Center 3.0.2 Release Notes.

Product Name
Certificate Requirements
vCenter Server and Platform Services Controller
Certificate Requirements in the vSphere Security documentation
NSX for vSphere
NSX Manager SSL Certification in NSX Administration Guide
vSphere Data Protection
vRealize Automation
Updating vRealize Automation Certificates in the Managing vRealize Automation documentation
vRealize Orchestrator
Manage Certificates in the Installing and Configuring VMware vRealize Orchestrator documentation
vRealize Business
vRealize Operations Manager
Custom vRealize Operations Manager Certificate Requirements in the Installing vRealize Operations Manager documentation
vRealize Log Insight
Install a Custom SSL Certificate from the Administering vRealize Log Insight documentation
vSphere Replication
Requirements When Using a Public Key Certificate with vSphere Replication in the vSphere Replication Administration documentation
Site Recovery Manager
Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager in the Site Recovery Manager Installation and Configuration documentation

 

Certificate Requirements for VMware Validated Design for Software-Defined Data Center 2.0 and 3.0

For more information about the certificate requirements of each product in this VMware Validated Design, see the documentation for the VMware product versions included in this design using the links in this table.

For information about the product versions that are included in this VMware Validated Design 2.0, see Introducing VMware Validated Design for Software-Defined Data Center 2.0.  For information about the product versions that are included in this VMware Validated Design 3.0, see VMware Validated Design for Software-Defined Data Center 3.0 Release Notes.

Product Name

Certificate Requirements

vCenter Server and Platform Services Controller
Certificate Requirements in the vSphere Security documentation
NSX for vSphere
NSX Manager SSL Certification in NSX Administration Guide
vSphere Data Protection
vRealize Automation
Updating vRealize Automation Certificates in the Managing vRealize Automation documentation
vRealize Orchestrator
Manage Certificates in the Installing and Configuring VMware vRealize Orchestrator documentation
vRealize Business
vRealize Operations Manager
Custom vRealize Operations Manager Certificate Requirements in the Installing vRealize Operations Manager documentation
vRealize Log Insight
Install a Custom SSL Certificate from the Administering vRealize Log Insight documentation
vSphere Replication
Requirements When Using a Public Key Certificate with vSphere Replication in the vSphere Replication Administration documentation
Site Recovery Manager
Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager in the Site Recovery Manager Installation and Configuration documentation



Resolution

Prerequisites

To run the CertGenVVD utility, you must meet specific requirements on the Windows system on which you run the utility.

  • Verify that the account that you use to log in has administrative privileges.

    Although non-administrator users can download and launch the tool, all operations fail if you do not have the proper permissions.

  • Verify that the Windows system  has access to the data center infrastructure nodes that are designated to host the SDDC management components.
  • Update the default.txt file with values according to the certificate requirements of your organization.
  • Update the configuration files in the ConfigFiles folder with product details if the SDDC deployment uses different host names and IP addresses, or requires certificate attributes different from the default ones.
    • List all host names under the [SAN] section in the product-specific configuration file.
    • Configure product-specific certificate attributes under the [CERT] section in the product-specific configuration file.
  • Create a Microsoft Certificate Authority template, called VMware, that you use to generate the certificates for the SDDC management components. See Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108) or VMware Validated Design Deployment for Region A from the VMware Validated Designs Documentation.

Install the CertGenVVD utility

  1. Download the CertGenVVD tool.
  2. Copy the tool to a Windows virtual machine that has access to the infrastructure nodes.
  3. Extract the ZIP file to any folder and preserve the folder structure.

Use the CertGenVVD utility to create CA-signed certificates

  1. Open a Windows PowerShell prompt as an administrator and navigate to the certgenvvd_home_dir\CertGenVVD-30 folder.
  2. Configure the PowerShell execution policy with the permissions required to run the commands.
    1. Run the Execute Get-ExecutionPolicy command to get the active execution policy.
    2. If the Execute Get-ExecutionPolicy command returns Restricted, run the  Set-ExecutionPolicy RemoteSigned  command.
  3. Run the command for generating certificates for the SDDC management components in VMware Validated Design according to the version of the CertGenVVD utility.

    .\CertGenVVD-3.0.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware'

The certificates are signed by the Microsoft CA according to the requirements of the validated design.

The generated certificates are saved to the certgenvvd_home_dir\SignedByMSCACerts folder in multiple formats according to the certificate requirements of the SDDC management components, that is, in X.509, PEM, PKCS#12 and PKCS#7.

The CertGenVVD utility configures the certificate chain files with the password that you specified during the generation.

Use the CertGenVVD utility to create certificates that are signed by an intermediate certificate authority 

CertGenVVD 3.0 supports intermediate Microsoft certificate authorities and does not need access to the root certificate authority. CertGenVVD concatenates the certificates of all of the certificate authorities into the certificate chain. 

To use this feature, run the CertGenVVD utility in the same workflow sequence that you use in the root only CA case using the  additional –intermediate option.

.\CertGenVVD-3.0.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -intermediate

Use the CertGenVVD utility to create certificate requests to a third-party CA

  1. Open a Windows PowerShell prompt as an administrator and navigate to the certgenvvd_home_dir\CertGenVVD-3.0 folder. 
  2. Configure the PowerShell execution policy with the permissions required to run the commands. 
    1. Run the Execute Get-ExecutionPolicy command to get the active execution policy.
    2. If the Execute Get-ExecutionPolicy command returns Restricted, run the  Set-ExecutionPolicy RemoteSigned  command.
  3. Run the command for generating certificates for the SDDC management components in VMware Validated Design according to the version of the CertGenVVD utility.

    .\CertGenVVD-3.0.ps1 -CSR

  4. Locate the CSR files in the certgenvvd_home_dir\CertGenVVD-3.0\CSRCerts folder and send it to the third-party CA to get signed certificates.

    The CA will send you signed .cer files for each CSR and the Root certificate.

  5. Rename the CA root certificate to Root64.cer.
  6. If there are multiple intermediate CAs, concatenate the certificates into one certificate chain file. 

    copy IntermediateCAroot01.cer+IntermediateCAroot02.cer+RootCA.cer > Root64.cer

  7. Place the signed certificates in the corresponding  CertGenVVD-3.0\CSRCerts\<product> directories, and the Root64.cer one  in CertGenVVD-3.0\CSRCerts\Root64.
  8. Run CertGenVVD 3.0 one more time with the -CSR and -extra command options.

    You generate all the required certificates that are required for the SDDC management components in VMware Validated Designs.

    .\CertGenVVD-3.0.ps1 –CSR -extra

Certificates files that are generated for VMware Validated Design

The CertGenVVD utility creates the following certificate chain files in the  certgenvvd_home_dir\SignedByMSCACerts folder.
 
Note: You generate certificates for Site Recovery Manager and vSphere Replication only if you deploy a dual-region SDDC.

 

Certificate files for the SDDC management components in Region A
Management Component
Generated Certificate Files
ESXi hosts in the management pod
RootCA\Root64.cer
mgmt01esx01.sfo01\mgmt01esx01.sfo01.key
mgmt01esx01.sfo01\mgmt01esx01.sfo01.1.cer
mgmt01esx02.sfo01\mgmt01esx02.sfo01.key
mgmt01esx02.sfo01\mgmt01esx02.sfo01.1.cer
mgmt01esx03.sfo01\mgmt01esx03.sfo01.key
mgmt01esx03.sfo01\mgmt01esx03.sfo01.1.cer
mgmt01esx04.sfo01\mgmt01esx04.sfo01.key
mgmt01esx04.sfo01\mgmt01esx04.sfo01.1.cer
ESXi hosts in the compute pod
RootCA\Root64.cer
comp01esx01.sfo01\comp01esx01.sfo01.key
comp01esx01.sfo01\comp01esx01.sfo01.1.cer
comp01esx02.sfo01\comp01esx02.sfo01.key
comp01esx02.sfo01\comp01esx02.sfo01.1.cer
comp01esx03.sfo01\comp01esx03.sfo01.key
comp01esx03.sfo01\comp01esx03.sfo01.1.cer
comp01esx04.sfo01\comp01esx04.sfo01.key
comp01esx04.sfo01\comp01esx04.sfo01.1.cer
Platform Services Controller for the management and shared edge and compute pods

For versions 2.0, 3.0 and 3.0.2 of VMware Validated Designs:

RootCA\Root64.cer
mgmt01psc01.sfo01\mgmt01psc01.sfo01.key
mgmt01psc01.sfo01\mgmt01psc01.sfo01.1.cer

For version 4.0 of VMware Validated Designs:

RootCA\Root64.cer
sfo01psc01.sfo01\
sfo01psc01.sfo01.key
sfo01psc01.sfo01\
sfo01psc01.sfo01.1.cer
vCenter Server for the management pod
RootCA\Root64.cer
mgmt01vc01.sfo01\mgmt01vc01.sfo01.key
mgmt01vc01.sfo01\mgmt01vc01.sfo01.1.cer
NSX Manager for the management pod
mgmt01nsxm01.sfo01\mgmt01nsxm01.sfo01.4.p12
Platform Services Controller for the shared edge and compute pod

For versions 2.0, 3.0 and 3.0.2 of VMware Validated Designs:

RootCA\Root64.cer
comp01psc01.sfo01\comp01vc01.sfo01.key
comp01psc01.sfo01\comp01vc01.sfo01.1.cer

For version 4.0 of VMware Validated Designs:

RootCA\Root64.cer
sfo01psc01.sfo01\
sfo01psc01.sfo01.key
sfo01psc01.sfo01\
sfo01psc01.sfo01.1.cer
vCenter Server for the compute pod
RootCA\Root64.cer
comp01vc01.sfo01\comp01vc01.sfo01.key
comp01vc01.sfo01\comp01vc01.sfo01.1.cer
NSX Manager for the compute pod
comp01nsxm01.sfo01\comp01nsxm01.sfo01.4.p12
vRealize Operations Manager
vrops\vrops.2.chain.pem
For versions 2.0, 3.0 and 3.0.2 of VMware Validated Designs, use the PEM file from the ForVVD3.0 sub-folder.
vRealize Log Insight
vrli.sfo01\vrli.sfo01.2.chain.pem
vRealize Automation
vra\vra.key
vra\vra.2.chain.pem
vRealize Orchestrator
vro\vro.2.chain.pem
vRealize Business
vrb\vrb.key
vrb\vrb.2.chain.pem
vSphere Data Protection
mgmt01vdp01\.keystore
Site Recovery Managermgmt01srm01.sfo01\mgmt01srm01.sfo01.5.p12
vSphere Replicationmgmt01vrms01.sfo01\mgmt01vrms01.sfo01.5.p12

 

Certificate files for the SDDC management components in Region B

Management Component
Generated Certificate Files
ESXi hosts in the management pod
RootCA\Root64.cer
mgmt01esx51.lax01\mgmt01esx51.lax01.key
mgmt01esx51.lax01\mgmt01esx51.lax01.1.cer
mgmt01esx52.lax01\mgmt01esx52.lax01.key
mgmt01esx52.lax01\mgmt01esx52.lax01.1.cer
mgmt01esx53.lax01\mgmt01esx53.lax01.key
mgmt01esx53.lax01\mgmt01esx53.lax01.1.cer
mgmt01esx54.lax01\mgmt01esx54.lax01.key
mgmt01esx54.lax01\mgmt01esx54.lax01.1.cer
ESXi hosts in the compute pod
RootCA\Root64.cer
comp01esx51.lax01\comp01esx51.lax01.key
comp01esx51.lax01\comp01esx51.lax01.1.cer
comp01esx52.lax01\comp01esx52.lax01.key
comp01esx52.lax01\comp01esx52.lax01.1.cer
comp01esx53.lax01\comp01esx53.lax01.key
comp01esx53.lax01\comp01esx53.lax01.1.cer
comp01esx54.lax01\comp01esx54.lax01.key
comp01esx54.lax01\comp01esx54.lax01.1.cer
Platform Services Controller for the management pod

For versions 2.0, 3.0 and 3.0.2 of VMware Validated Designs:

RootCA\Root64.cer
mgmt01psc51.lax01\mgmt01psc51.lax01.key
mgmt01psc51.lax01\mgmt01psc51.lax01.1.cer

For version 4.0 of VMware Validated Designs:

RootCA\Root64.cer
lax01psc51.lax01\lax01psc51.lax01.lax01.key
lax01psc51.lax01\lax01psc51.lax011.lax01.1.cer
vCenter Server for the management podRootCA\Root64.cer
mgmt01vc51.lax01\mgmt01vc51.lax01.key
mgmt01vc51.lax01\mgmt01vc51.lax01.1.cer
NSX Manager for the management pod
mgmt01nsxm01.lax01\mgmt01nsxm51.lax01.4.p12
Platform Services Controller for the compute pod

For versions 2.0, 3.0 and 3.0.2 of VMware Validated Designs:

RootCA\Root64.cer
comp01psc51.lax01\comp01psc51.lax01.key
comp01psc51.lax01\comp01psc51.lax01.1.cer

For version 4.0 of VMware Validated Designs:

RootCA\Root64.cer
lax01psc51.lax01\lax01psc51.lax01.lax01.key
lax01psc51.lax01\lax01psc51.lax011.lax01.1.cer
vCenter Server for the compute pod

RootCA\Root64.cer
comp01vc51.lax01\comp01vc51.lax01.key
comp01vc51.lax01\comp01vc51.lax01.1.cer

NSX Manager for the compute pod
comp01nsxm51.lax01\comp01nsxm51.lax01.4.p12
vRealize Log Insight
vrli.lax01\vrli.lax01.2.chain.pem
vSphere Data Protection
mgmt01vdp51\.keystore
Site Recovery Managermgmt01srm51.lax01\mgmt01srm51.lax01.5.p12
vSphere Replicationmgmt01vrms51.lax01\mgmt01vrms51.lax01.5.p12


 

Certificate files for the SDDC management components for Remote Office and Branch Office
Management ComponentGenerated Certificate Files
ESXi hostsRootCA\Root64.cer
nyc01esx01\nyc01esx01.key
nyc01esx01\nyc01esx01.1.cer
nyc01esx02\nyc01esx02.key
nyc01esx02\nyc01esx02.1.cer
nyc01esx03\nyc01esx03.key
nyc01esx03\nyc01esx03.1.cer
nyc01esx04\nyc01esx04.key
nyc01esx04\nyc01esx04.1.cer
vCenter Server Instance with an Embedded Platform Services ControllerRootCA\Root64.cer
nyc01vc01\nyc01vc01.key
nyc01vc01\nyc01vc01.1.cer
NSX Managernyc01nsxm01\nyc01nsxm01.4.p12
vRealize Log Insightnyc01vrli01\nyc01vrli01.2.chain.pem
vRealize Businessnyc01vrb01\nyc01vrb01.key
nyc01vrb01\nyc01vrb01.2.chain.pem
vSphere Data Protectionnyc01vdp01\.keystore

Additional command options that are not related to certificate generation for VMware Validated Designs

The CertGenVVD utility also supports options for generating certificate-related files that do not strictly comply with VMware Validated Designs.

Option
Command
View help..\CertgenVVD-3.0.ps1 -help|h
Validate the readiness of the machine on which you plan to run the CertGenVVD utility..\CertgenVVD-3.0.ps1 -validate|v
Only generate a certificate signed by OpenSSL Root CA.\CertgenVVD-3.0.ps1 -openSSL | openSSLCASigned
Generate all supported certificate file types, that is, CSRs, OpenSSL CA-signed certificates, and Microsoft CA-signed certificates..\CertgenVVD-3.0.ps1 -all

See Also

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 6 Ratings
Actions
KB: