Certificate Replacement

Transcription

1 Certifite Replement VMwre Vlite Design for Softwre-Define Dt Center This oument supports the version of eh prout liste n supports ll susequent versions until the oument is reple y new eition. To hek for more reent eitions of this oument, see EN

2 Certifite Replement You n fin the most up-to-te tehnil oumenttion on the VMwre We site t: The VMwre We site lso provies the ltest prout uptes. If you hve omments out this oumenttion, sumit your feek to: ofeek@vmwre.om Copyright 2017 VMwre, In. All rights reserve. Copyright n tremrk informtion. VMwre, In Hillview Ave. Plo Alto, CA VMwre, In.

3 Contents Aout VMwre Vlite Design Certifite Replement 5 1 Region A Certifite Replement 7 Crete n A Mirosoft Certifite Authority Templte 7 Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region A 9 Use the Certifite Genertion Utility to Generte CA-Signe Certifites for the SDDC Mngement Components in Region A 9 Aitionl Configurtion for Intermeite Certifite Authority in Region A 11 Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region A 12 Generte Mnully Key Pirs n Certifite Signing Requests for the ESXi Hosts in Region A 13 Generte Mnully Key Pir n Certifite Signing Request for the Pltform Servies Controller Instnes in Region A 14 Generte Mnully Key Pir n Certifite Signing Request for vcenter Server in Region A 16 Generte Mnully Key Pirs n Certifite Singing Requests for NSX in Region A 18 Generte Mnully Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region A 19 Generte Mnully Key Pirs n Certifite Signing Requests for the Clou Mngement Pltform in Region A 22 Mnully Generte Key Pir n Certifite Signing Request for vrelize Opertions Mnger 24 Generte Mnully Key Pir n Certifite Signing Request for vrelize Log Insight in Region A 26 Generte CA-Signe Certifites for the SDDC Mngement Components in Region A 27 Reple Certifites of the Mngement Prouts in Region A 32 Reple Certifites of the Virtul Infrstruture Components in Region A 33 Reple Certifites of the Clou Mngement Pltform Components in Region A 51 Reple Certifites of the Opertions Mngement Components in Region A 58 2 Region B Certifite Replement 63 Crete n A Mirosoft Certifite Authority Templte in Region B 63 Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region B 65 Use the Certifite Genertion Utility to Generte CA-Signe Certifites for the SDDC Mngement Components in Region B 65 Aitionl Configurtion for Intermeite Certifite Authority in Region B 67 Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region B 68 Generte Mnully Key Pirs n Certifite Signing Requests for the ESXi Hosts in Region B 69 Generte Mnully Key Pir n Certifite Signing Request for the Pltform Servies Controller Instnes in Region B 70 Generte Mnully Key Pir n Certifite Signing Request for vcenter Server in Region B 71 VMwre, In. 3

4 Certifite Replement Generte Mnully Key Pir n Certifite Singing Request for NSX in Region B 73 Generte Mnully Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region B 74 Generte Key Pirs n Certifite Signing Requests for Site Reovery Mnger Certifites 77 Generte Key Pirs n Certifite Signing Requests for vsphere Replition 80 Generte Key Pir n Certifite Signing Request for vrelize Log Insight in Region B 82 Generte CA-Signe Certifites for the SDDC Mngement Components in Region B 84 Reple Certifites of the Mngement Prouts in Region B 89 Reple Certifites of the Virtul Infrstruture Components in Region B 89 Reple Certifites of the Opertions Mngement Components in Region B VMwre, In.

5 Aout VMwre Vlite Design Certifite Replement VMwre Vlite Design Certifite Replement provies step-y-step instrutions out repling ertifites on ll mngement omponents of running Softwre-Define Dt Center (SDDC) whose esign follows this VMwre Vlite Design for Softwre-Define Dt Center. The ertifite replement proess onsists of the following phses: 1 Otin ertifites for the mngement omponents tht re signe y ustom ertifite uthority (CA) Use the VMwre Vlite Design Certifite Genertion utility to utomtilly generte the ertifites for ll omponents. Mnully generte Certifite Signing Requests (CSRs) n request CA-signe ertifites proviing the CSRs to the CA. 2 Reple the ertifites in the live SDDC environment. Intene Auiene The VMwre Vlite Design Certifite Replement oumenttion is intene for lou rhitets, infrstruture ministrtors, lou ministrtors n lou opertors who re fmilir with n wnt to use VMwre softwre to eploy in short time n mnge n SDDC tht meets the requirements for pity, slility, kup n restore, n isster reovery. Require Softwre VMwre Vlite Design Certifite Replement is omplint n vlite with ertin prout versions. See VMwre Vlite Design Relese Notes for more informtion out supporte prout versions. VMwre, In. 5

6 Certifite Replement 6 VMwre, In.

7 Region A Certifite Replement 1 You first reple the ertifite in Region A. As the protete region, it ontins the min mngement omponents of the SDDC. Crete n A Mirosoft Certifite Authority Templte on pge 7 You rete Mirosoft Certifite Authority Templte to ontin the ertifite uthority (CA) ttriutes for signing ertifites of VMwre SDDC solution. Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region A on pge 9 You n use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte signe ertifites for ll mngement omponents of this esign in Region B. You n then import the ertifites to these omponents to mintin seure onnetion to the externl network n etween the omponents themselves. Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region A on pge 12 Crete ertifite signing requests for the mngement omponents in the SDDC n sen them ertifite uthority, suh s the Mirosoft AD server in Region A, for getting signe omponent ertifite. Generte CA-Signe Certifites for the SDDC Mngement Components in Region A on pge 27 When you reple the efult ertifites of the SDDC mngement prouts, you n mnully generte ertifite files tht re signe y the intermeite Certifite Authority (CA). Reple Certifites of the Mngement Prouts in Region A on pge 32 After you generte ertifite for mngement prout in Region A tht is signe y the twolyere ertifite uthority on the hil AD server in the region, reple the efult ertifite or n expire ertifite with newly-signe one on the prout instne in the region. Crete n A Mirosoft Certifite Authority Templte You rete Mirosoft Certifite Authority Templte to ontin the ertifite uthority (CA) ttriutes for signing ertifites of VMwre SDDC solution. The first step is setting up Mirosoft Certifite Authority templte through Remote Desktop Protool session. After you hve rete the new templte, you it to the ertifite templtes of the Mirosoft CA. VMwre, In. 7

8 Certifite Replement Prerequisites This VMwre Vlite Design sets the CA up on oth Ative Diretory (AD) servers: the min omin 01rpl.rinpole.lo l(root CA) n the Region A suomin 01sfo.sfo01.rinpole.lol (the intermeite CA). Both AD servers re running the Mirosoft Winows Server 2012 R2 operting system. Verify tht you instlle Mirosoft Server 2012 R2 VMs with Ative Diretory Domin Servies enle. Verify tht The Certifite Authority Servie role n the Certifite Authority We Enrolment role is instlle n onfigure on oth Ative Diretory Server. Verify tht 01sfo.sfo01.rinpole.lol hs een set up to e the intermeite CA of the root CA 01rpl.rinpole.lol. 1 Log in to the AD server y using Remote Desktop Protool (RDP) lient s the AD ministrtor with the _min_psswor psswor. If you use the intermeite CA, onnet to 01sfo.sfo01.rinpole.lol. If you use only the root CA, onnet 01rpl.sfo01.rinpole.lol. 2 Clik Winows Strt > Run, enter erttmpl.ms, n lik OK. 3 In the Certifite Templte Console, uner Templte Disply Nme, right-lik We Server n lik Duplite Templte. 4 In the Duplite Templte winow, leve Winows Server 2003 Enterprise selete for kwr omptiility n lik OK. 5 In the Properties of New Templte ilog ox, lik the Generl t. 6 In the Templte isply nme text ox, enter VMwre s the nme of the new templte. 7 Clik the Extensions t n speify extensions informtion: e f Selet Applition Poliies n lik Eit. Selet Server Authentition, lik Remove, n lik OK. Selet Key Usge n lik Eit. Clik the Signture is proof of origin (nonrepuition) hek ox. Leve the efult for ll other options. Clik OK. 8 Clik the Sujet Nme t, ensure tht the Supply in the request option is selete, n lik OK to sve the templte. 9 To the new templte to your CA, lik Winows Strt > Run, enter ertsrv.ms, n lik OK. 10 In the Certifition Authority winow, expn the left pne if it is ollpse. 11 Right-lik Certifite Templtes n selet New > Certifite Templte to Issue. 12 In the Enle Certifite Templtes ilog ox, selet the VMwre ertifite tht you just rete in the Nme olumn n lik OK. 8 VMwre, In.

9 Chpter 1 Region A Certifite Replement Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region A You n use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte signe ertifites for ll mngement omponents of this esign in Region B. You n then import the ertifites to these omponents to mintin seure onnetion to the externl network n etween the omponents themselves. 1 Use the Certifite Genertion Utility to Generte CA-Signe Certifites for the SDDC Mngement Components in Region A on pge 9 Use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites tht re signe y the Mirosoft ertifite uthority (MSCA) for ll mngement prout with single opertion. 2 Aitionl Configurtion for Intermeite Certifite Authority in Region A on pge 11 If you use n intermeite ertifite uthority on sfo01.rinpole.lol s ertifite signer, CertGenVVD utility only retrieves the intermeite Bse 64 ertifite from the Mirosoft CA. You must rete ertifite hin file tht lso inlues the root CA ertifite. Use the Certifite Genertion Utility to Generte CA-Signe Certifites for the SDDC Mngement Components in Region A Use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites tht re signe y the Mirosoft ertifite uthority (MSCA) for ll mngement prout with single opertion. For informtion out the VMwre Vlite Design Certifite Genertion Utility, see VMwre Knowlege Bse rtile Prerequisites If you use n intermeite CA suh s sfo01.rinpole.lol, mke the Winows host tht you use to onnet to the t enter prt of the sfo01.rinpole.lol omin. 1 Log in to Winows host tht hs ess to your t enter. 2 Downlo the CertGenVVD-version.zip file of the Certifite Genertion Utility from VMwre Knowlege Bse rtile on the Winows host where you onnet to the t enter n extrt the ZIP file to the C: rive. 3 In the C:\CertGenVVD-version foler, open the efult.txt file in text eitor. 4 Verify tht following properties re onfigure. ORG=Rinpole In. OU=Rinpole.lol LOC=SFO ST=CA CC=US CN=VMwre_VVD keysize= Verify tht only the C:\CertGenVVD-version\ConfigFiles foler ontins only following files. omp01esx01.sfo01.txt omp01esx02.sfo01.txt VMwre, In. 9

10 Certifite Replement omp01esx03.sfo01.txt omp01esx04.sfo01.txt omp01nsxm01.sfo01.txt omp01v01.sfo01.txt mgmt01nsxm01.sfo01.txt sfo01ps01.sfo01.txt mgmt01esx01.sfo01.txt mgmt01esx02.sfo01.txt mgmt01esx03.sfo01.txt mgmt01esx04.sfo01.txt mgmt01srm01.sfo01.txt mgmt01v01.sfo01.txt mgmt01vp01.sfo01.txt mgmt01vrms01.sfo01.txt vr.txt vr.txt vrli.sfo01.txt vro.txt vrops-forvvd4.0.txt 6 If sfo01ps01.sfo01.txt oes not exist, rete it so tht you n generte ertifites for the Pltform Servies Controllers tht re ehin lo lner in Region A. Mke opy of mgmt01v01.sfo01.txt n sve it s sfo01ps01.sfo01.txt. Open the opie file in text eitor, n verify tht the following properties re onfigure. sfo01ps01.sfo01.txt [CERT] NAME=efult ORG=efult OU=efult LOC=SFO ST=efult CC=efult CN=sfo01ps01.sfo01.rinpole.lol keysize=efult [SAN] omp01ps01 mgmt01ps01 omp01ps01.sfo01.rinpole.lol mgmt01ps01.sfo01.rinpole.lol sfo01ps01 sfo01ps01.sfo01.rinpole.lol 7 Open Winows PowerShell prompt n nvigte to the CertGenVVD foler. For exmple, of you use CertGenVVD 2.1, nvigte to the following foler: C:\CertGenVVD VMwre, In.

11 Chpter 1 Region A Certifite Replement 8 Run the following ommn to grnt PowerShell permissions to run thir-prty shell sripts. Set-ExeutionPoliy Unrestrite 9 Run the following ommn to vlite prerequisites for running the utility. Verify tht VMwre is inlue in the ville CA Templte Poliy..\CertgenVVD-2.1.ps1 -vlite 10 Run the following ommn to generte MSCA-signe ertifites..\certgenvvd-2.1.ps1 -MSCASigne -ttri 'CertifiteTemplte:VMwre' 11 In the :\CertGenVVD-version foler, verify tht the utility rete the SigneByMSCACerts su-foler. Wht to o next Reple the prout ertifites with the ertifites tht the CertGenVVD utility hs generte. See Reple Certifites of the Mngement Prouts in Region A, on pge 32. Aitionl Configurtion for Intermeite Certifite Authority in Region A If you use n intermeite ertifite uthority on sfo01.rinpole.lol s ertifite signer, CertGenVVD utility only retrieves the intermeite Bse 64 ertifite from the Mirosoft CA. You must rete ertifite hin file tht lso inlues the root CA ertifite. 1 Log in to the site for ertifite request on the sfo01.rinpole.lol AD server. Open We rowser n go to Log in using the following reentils. User nme psswor Vlues _ministrtor _ministrtor_psswor 2 Downlo n export the ertifites of the intermeite n root CAs. Clik Downlo CA ertifite, ertifite hin, or CRL. Selet Current[sfo01-DC01SFO-CA in the CA ertifite list, selet Bse 64 n lik Downlo CA ertifite hin. Sve the file s hinroot.p7. Open hinroot.p7. The ertmgr utility ppers. e f Nvigte to Certifites foler Right-lik sfo01-dc01sfo-ca n selet All Tsks > Export. The Certifite Export Wizr ppers. g h i On the Welome pge, lik Next. Selet Bse-64 enoe X.509 (.CER) n lik Next On the File to Export pge, rowse to the C:\CertGenVVD-version\SigneByMSCACerts\sfo01- intermeite-.er, lik Next n lik Finish. VMwre, In. 11

12 Certifite Replement j k Clik Oky when you see messge out suessful export. In the ertmgr utility, right lik rinpole-dc01rpl-ca n selet All Tsks > Export n repet the steps to sve the rinpole.lol root CA ertifite s C:\CertGenVVDversion\SigneByMSCACerts\rinpole-root-.er. 3 Crete the hinroot64.er file tht inlues oth root n intermeite CA ertifites. e f Open rinpole-root-.er in text eitor. Copy the entire ontent n lose the file. Open sfo01-intermeite-.er in text eitor, press Enter to insert new line t the en of the file, pste the rinpole-root-.er ontent. Sve the file s hinroot64.er to the C:\CertGenVVD-version\SigneByMSCACerts\. Close ll files. Verify tht the new file C:\CertGenVVD-version\SigneByMSCACerts\hinRoot64.er exists n ontins the ontent of oth sfo01-intermeite-.er n rinpole-root-.er. 4 Refresh ll MSCA-signe ertifites with new intermeite n root CAs. e f g h Open the C:\CertGenVVD-version foler. Mke opy of the SigneByMSCACerts foler n nme is s SigneByMSCACerts-kup. Renme the SigneByMSCACerts foler to CSRCerts. Open the C:\CSRCerts\RootCA\ foler. Delete the Root64.er file Crete opy of hinroot64.er s Root64.er. Open Winows PowerShell prompt n nvigte to the CertGenVVD foler. Run the following ommn to regenerte ll ertifite files n pkges using the new Root64.er..\CertGenVVD-version.ps1 -CSR -extr i Renme the CSRCerts foler k to SigneByMSCACerts. Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region A Crete ertifite signing requests for the mngement omponents in the SDDC n sen them ertifite uthority, suh s the Mirosoft AD server in Region A, for getting signe omponent ertifite. Generte Mnully Key Pirs n Certifite Signing Requests for the ESXi Hosts in Region A on pge 13 If you pln to mnully generte ertifites for the ESXi hosts, generte key pir n Certifite Signing Request (CSR) files for the hosts in the mngement luster first n for to the hosts in the shre ege n ompute luster next. Sumit the CSR file to the ertifite uthority for signing. Generte Mnully Key Pir n Certifite Signing Request for the Pltform Servies Controller Instnes in Region A on pge 14 Generte single Certifite Signing Request (CSR) for the Pltform Servies Controller lo lner n sumit it to the ertifite uthority for signing. 12 VMwre, In.

13 Chpter 1 Region A Certifite Replement Generte Mnully Key Pir n Certifite Signing Request for vcenter Server in Region A on pge 16 If you pln to generte mnully CA-signe ertifite for vcenter Server in Region A, rete Certifite Signing Request (CSR) n sumit it to the ertifite uthority for signing. Generte Mnully Key Pirs n Certifite Singing Requests for NSX in Region A on pge 18 If you pln to generte mnully CA-signe ertifite for NSX, generte Certifite Signing Request (CSR) n sumit it to the ertifite uthority for signing. Generte Mnully Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region A on pge 19 Generte the files tht re require to otin CA-signe ertifite for vsphere Dt Protetion. Generte Mnully Key Pirs n Certifite Signing Requests for the Clou Mngement Pltform in Region A on pge 22 vrelize Automtion, vrelize Orhestrtor n vrelize Business use SSL ertifites for seure ommunition. Mnully Generte Key Pir n Certifite Signing Request for vrelize Opertions Mnger on pge 24 vrelize Opertions Mnger omes with efult self-signe ertifites tht re generte n signe t instlltion time. You n rete key pir n CSR, n use them to generte CA-signe ertifite on the 01sfo.sfo01.rinpole.lol AD server tht uthentites the nlytis luster of vrelize Opertions Mnger over TLS or SSL. Generte Mnully Key Pir n Certifite Signing Request for vrelize Log Insight in Region A on pge 26 To rete CA-signe ertifite for vrelize Log Insight, generte ertifite signing request (CSR) on the virtul ppline for the mster noe n use the intermeite ertifite uthority tht is ville on the hil Ative Diretory (AD) server to sign the ertifite. Generte Mnully Key Pirs n Certifite Signing Requests for the ESXi Hosts in Region A If you pln to mnully generte ertifites for the ESXi hosts, generte key pir n Certifite Signing Request (CSR) files for the hosts in the mngement luster first n for to the hosts in the shre ege n ompute luster next. Sumit the CSR file to the ertifite uthority for signing. You use the Mngement vcenter Server to generte the key pir n the CSR files euse the ppline lrey runs the require softwre for CSR genertion instlle. You n lso use nother Linux OS instne tht hs OpenSSL instlle. Prerequisites Verify tht the Winows tht you use for ess to the t enter is prt of the sfo01.rinpole.lol omin. 1 Log in to the Winows host tht hs ess to your t enter. 2 Crete foler C:\mnul-erts\esxhosts. VMwre, In. 13

14 Certifite Replement 3 Log in to mgmt01v01.sfo01.rinpole.lol y using Seure Shell (SSH) lient. Open n SSH onnetion to the virtul mhine mgmt01v01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root venter_server_root_psswor 4 Enle the Bsh shell y running the following ommn. shell 5 Crete iretory to sve the ertifite signing request n the privte key to. mkir /tmp/ssl 6 Nvigte to the temporry iretory y running the following ommn. /tmp/ssl 7 Generte privte key pir n CSR file for the mgmt01esx01.sfo01.rinpole.lol host y running the following ommn. openssl req -noes -newkey rs:2048 -keyout mgmt01esx01.key -out mgmt01esx01.sr -suj "/C=US/ST=CA/L=SFO/O=Rinpole In./OU=Rinpole.lol/CN=mgmt01esx01.sfo01.rinpole.lol" 8 Repet Step 7 to rete key pir n CSR for eh of the other hosts in Region A. Hosts Nme Key File Nme CSR File Nme mgmt01esx02.sfo01.rinpole.lol mgmt01esx02.key mgmt01esx02.sr mgmt01esx03.sfo01.rinpole.lol mgmt01esx03.key mgmt01esx03.sr mgmt01esx04.sfo01.rinpole.lol mgmt01esx04.key mgmt01esx04.sr omp01esx01.sfo01.rinpole.lol omp01esx01.key omp01esx01.sr omp01esx02.sfo01.rinpole.lol omp01esx02.key omp01esx02.sr omp01esx03.sfo01.rinpole.lol omp01esx03.key omp01esx03.sr omp01esx04.sfo01.rinpole.lol omp01esx04.key omp01esx04.sr 9 Copy ll key n CSR files to the C:\mnul-erts\esxhosts iretory on the Winows host. Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region A, on pge 27. Generte Mnully Key Pir n Certifite Signing Request for the Pltform Servies Controller Instnes in Region A Generte single Certifite Signing Request (CSR) for the Pltform Servies Controller lo lner n sumit it to the ertifite uthority for signing. Prerequisites Verify tht the Winows tht you use for ess to the t enter is prt of the sfo01.rinpole.lol omin. 1 Log in to the Winows host tht hs ess to the t enter. 14 VMwre, In.

15 Chpter 1 Region A Certifite Replement 2 Log in to the Pltform Servies Controller ppline for the mngement luster y using Seure Shell (SSH) lient. Open n SSH onnetion to the mgmt01ps01.sfo01.rinpole.lol virtul mhine. Log in using the following reentils. User nme Psswor Vlue root mgmtps_root_psswor 3 Enle the Bsh shell y running the following ommn. shell 4 Crete iretory to sve the ertifite signing request n privte key to. mkir /tmp/ssl 5 Strt the vsphere Certifite Mnger utility. /usr/li/vmwre-vm/in/ertifite-mnger 6 Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite), enter the efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min_psswor psswor. 7 When prompte for the Infrstruture Server IP, enter the IP ress of the Pltform Servies Controller Selet Option 1 (Generte Certifite Signing Request(s) n Key(s) for Mhine SSL ertifite), n enter /tmp/ssl for the iretory to sve the ertifite signing request n privte key to. 9 Provie the following settings to onfigure ertool.fg n lose the vsphere Certifite Mnger utility. Country Nme Orgniztion OrgUnit Stte Lolity Vlue US sfo01ps01.sfo01.rinpole.lol Rinpole In. Rinpole.lol Cliforni Plo Alto IPAress Emil Hostnme ministrtor@rinpole.lol sfo01ps01.sfo01.rinpole.lol The rete CSR files re vm_issue_sr.sr n vm_issue_key.key in the /tmp/ssl foler. 10 Run the following ommn to renme the vm_issue_sr.sr n vm_issue_key.key files to mth the Pltform Servies Controller lo lner IP ress. mv vm_issue_sr.sr sfo01ps01.sfo01.sr mv vm_issue_key.key sfo01ps01.sfo01.key 11 Copy the.sr file to iretory C:\mnul-erts\sfo01ps01 on the Winows host. VMwre, In. 15

16 Certifite Replement Generte Mnully Key Pir n Certifite Signing Request for vcenter Server in Region A If you pln to generte mnully CA-signe ertifite for vcenter Server in Region A, rete Certifite Signing Request (CSR) n sumit it to the ertifite uthority for signing. You generte Certifite Signing Request (CSR) on the vcenter Server instnes y using the vsphere Certifite Mnger utility. Prerequisites Verify tht the Winows tht you use for ess to the t enter is prt of the sfo01.rinpole.lol omin. 1 Log in to Winows host tht hs ess to the t enter s ministrtor. 2 Log in to the vcenter Server Appline for the mngement luster y using Seure Shell (SSH) lient. Open n SSH onnetion to the vcenter Server instne. vcenter Server Mngement vcenter Server Compute vcenter Server Virtul Appline FQDN mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol Log in using the following reentils. User nme Psswor Vlue root venter_server_root_psswor 3 Enle the Bsh shell y running the following ommns. shell 4 Crete iretory to sve the ertifite signing request n privte key to. mkir /tmp/ssl 5 Strt the vsphere Certifite Mnger utility. /usr/li/vmwre-vm/in/ertifite-mnger 6 Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite), enter the efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min_psswor psswor. 7 When prompte for the Infrstruture Server IP, enter the IP ress of the Pltform Servies Controller tht mnges this vcenter Server instne. vcenter Server IP Aress of Connete Pltform Servies Controller mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol Selet Option 1 (Generte Certifite Signing Request(s) n Key(s) for Mhine SSL ertifite), n enter /tmp/ssl for the iretory to sve the ertifite signing request n privte key to. 16 VMwre, In.

17 Chpter 1 Region A Certifite Replement 9 Provie the following settings to onfigure ertool.fg n lose the vsphere Certifite Mnger utility. Vlue on the Mngement Pltform Servies Controller Vlue on the Compute Pltform Servies Controller Country US US Nme mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol Orgniztion Rinpole In. Rinpole In. OrgUnit Rinpole.lol Rinpole.lol Stte Cliforni Cliforni Lolity Plo Alto Plo Alto IPAress - - Emil ministrtor@vsphere.lol ministrtor@vsphere.lol Hostnme mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol The utility rete CSR files vm_issue_sr.sr n vm_issue_key.key in the /tmp/ssl foler. 10 Renme the vm_issue_sr.sr n vm_issue_key.key files to mth the virtul mhine nme of the vcenter Server instne. vcenter Server mgmt01v01.sfo01.rinpol e.lol omp01v01.sfo01.rinpol e.lol Key n CSR File Nmes mgmt01v01.sfo01_ss l.sr mgmt01v01.sfo01_ss l.key omp01v01.sfo01_ssl.sr omp01v01.sfo01_ssl.key Commn mv vm_issue_sr.sr mgmt01v01.sfo01_ssl.sr mv vm_issue_key.key mgmt01v01.sfo01_ssl.key mv vm_issue_sr.sr omp01v01.sfo01_ssl.sr mv vm_issue_key.key omp01v01.sfo01_ssl.key 11 If you pln to generte mnully ertifite for the other vcenter Server instne in Region A, repet Step 2 to Step Copy the.sr file to the C:\mnul-erts\v iretory on the Winows host tht you use to ess the vcenter Server instnes n the AD server. vcenter Server Mngement vcenter Server Diretory on the Winows host C:\mnul-erts\v\mgmt01v01.sfo01_ssl.sr Compute vcenter Server C:\mnul-erts\v\omp01v01.sfo01_ssl.sr Use the sp ommn, FileZill, or WinSCP to opy the file. Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region A, on pge 27. VMwre, In. 17

18 Certifite Replement Generte Mnully Key Pirs n Certifite Singing Requests for NSX in Region A If you pln to generte mnully CA-signe ertifite for NSX, generte Certifite Signing Request (CSR) n sumit it to the ertifite uthority for signing. 1 Log in to the Winows host tht hs ess to the AD server s n ministrtor. 2 On the Winows host tht hs ess to the t enter, log in to the NSX Mnger We interfe. Open We rowser n go to following URL. NSX Mnger NSX Mnger for the mngement luster NSX Mnger for the shre ompute n ege luster URL Log in using the following reentils. Vlue User nme min Psswor nsx_mnger_min_psswor 3 Clik Mnge Appline s. 4 In the s pne on the left, lik SSL Certifites. 5 Uner SSL Certifites on the right, lik Generte CSR. 6 In the Generte Certifite Signing Request ilog ox, provie the following informtion, n lik OK. CSR Info Algorithm Vlue RSA Key size 2048 Common Nme mgmt01nsxm01.sfo01.rinpole.lol omp01nsxm01.sfo01.rinpole.lol Orgniztion Unit Orgniztion Nme Lolity Nme Stte Nme Country Coe Rinpole Rinpole SFO CA US 7 Uner SSL Certifites, lik Downlo CSR. VMwre NSX ownlos CSR file lle NSX to the efult ownlo iretory. 18 VMwre, In.

19 Chpter 1 Region A Certifite Replement 8 Copy the NSX file to the following lol iretory on the Winows host tht you use to ess the t enter. Crete the iretory if neessry. NSX Mnger Instne mgmt01nsxm01.sfo01.rinpole.lol omp01nsxm01.sfo01.rinpole.lol Diretory on the Winows Host C:\mnul-erts\nsx\mgmt01nsxm01.sfo01 C:\mnul-erts\nsx\omp01nsxm01.sfo01 9 Renme the file ing the.sr extension t the en of the file nme. NSX Mnger mgmt01nsxm01.sfo01.rinpole.lol omp01nsxm01.sfo01.rinpole.lol File Nme mgmt01nsxm01.sfo01_ssl.sr omp01nsxm01.sfo01_ssl.sr Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region A, on pge 27. Generte Mnully Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region A Generte the files tht re require to otin CA-signe ertifite for vsphere Dt Protetion. 1 Enle SSH Root User Aess on the vsphere Dt Protetion Appline in Region A on pge 19 Enle the login to the vsphere Dt Protetion ppline in Region A over Seure SHell (SSH) s the root user. You onnet to the ppline over SSH to instll ustom ertifites n to perform trouleshooting opertions. 2 Generte Mnully the Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region A on pge 20 Generte the ertifite signing request (CSR) for vsphere Dt Protetion in Region A tht you n use to generte mnully ertifite signe y the Mirosoft CA on the 01sfo.sfo01.rinpole.lol AD server in Region A. Enle SSH Root User Aess on the vsphere Dt Protetion Appline in Region A Enle the login to the vsphere Dt Protetion ppline in Region A over Seure SHell (SSH) s the root user. You onnet to the ppline over SSH to instll ustom ertifites n to perform trouleshooting opertions. 1 Log in to the Mngement vcenter Server y using the vsphere We Client. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor VMwre, In. 19

20 Certifite Replement 2 Nvigte to the vsphere Dt Protetion virtul ppline mgmt01vp01. 3 Right-lik mgmt01vp01 n selet Open Console to open the remote onsole to the ppline. 4 Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 5 Run the following onsole ommn to open the ssh_onfig file for eiting. vi /et/ssh/ssh_onfig 6 Remove the # omment from the eginning of the line #PermitRootLogin yes. 7 Run the following ommn in the vi eitor to sve the file n exit the eitor. :wq! 8 In the onsole, restrt the SSH servie to upte the running onfigurtion. /et/init./ssh restrt 9 Log out n lose the onsole to the ppline. Generte Mnully the Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region A Generte the ertifite signing request (CSR) for vsphere Dt Protetion in Region A tht you n use to generte mnully ertifite signe y the Mirosoft CA on the 01sfo.sfo01.rinpole.lol AD server in Region A. You must pln for owntime of the vsphere Dt Protetion servie. During the ertifite genertion n replement the vsphere Dt Protetion servie will e own until the new ertifite is instlle. When you pln the owntime, tke in ount the time you nee to use the generte CSR file to request the CAsigne ertifite. 20 VMwre, In.

21 Chpter 1 Region A Certifite Replement 1 Log in to the vsphere Dt Protetion ppline. Open n SSH onnetion to the virtul mhine mgmt01vp01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 2 Stop the vsphere Dt Protetion servies y running the following ommn. emwepp.sh --stop 3 Delete the Tomt lis from the ertifite store. /usr/jv/ltest/in/keytool -elete -lis tomt When prompte for the keystore psswor, enter hngeit. 4 Generte CSR file vpsr.sr y running the following two ommns. When prompte for the keystore psswor, enter hngeit. /usr/jv/ltest/in/keytool -genkeypir -v -lis tomt -keylg RSA -siglg SHA256withRSA - keystore /root/.keystore -storepss hngeit -keypss hngeit -vliity nme "CN=mgmt01vp01.sfo01.rinpole.lol, OU=rinpole.lol, O=Rinpole In., L=Plo Alto, S=CA, C=US" /usr/jv/ltest/in/keytool -ertreq -keylg RSA -lis tomt -file vpsr.sr 5 Copy the vpsr.sr file to the C:\mnul-erts\vp\mgmt01vp01 iretory on the Winows host tht you use to ess the t enter. VMwre, In. 21

22 Certifite Replement Wht to o next 1 Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region A, on pge Reple the ertifite on the vsphere Dt Protetion. See Instll Mnully Generte Certifite on vsphere Dt Protetion in Region A, on pge 50. Generte Mnully Key Pirs n Certifite Signing Requests for the Clou Mngement Pltform in Region A vrelize Automtion, vrelize Orhestrtor n vrelize Business use SSL ertifites for seure ommunition. Repet this proeure three times, one for vrelize Automtion, vrelize Orhestrtor n vrelize Business. You ple the CSR n key files of eh prout in eite foler on the Winows host tht you use to ess the t enter. Prout vrelize Automtion vrelize Orhestrtor vrelize Business Foler C:\mnul-erts\vRA\ C:\mnul-erts\vRO\ C:\mnul-erts\vRB\ Prerequisites Downlo the vrelize Certifite Genertion tool from VMwre Knowlege Bse rtile Prepre the vrelize Certifite Genertion Tool. Log in to the mhine tht you set up for ertifite genertion. Downlo the vrelize Certifite Genertion Tool n extrt the ownloe vrelize Certifite Genertion Tool.zip file. Copy the ertgen.sh file n ple it in the /tmp iretory. Chnge the ertgen.sh permissions to exeute y using the hmo u+x ertgen.sh ommn. hmo u+x ertgen.sh 2 Run the vrelize Certifite Genertion Tool. Run the ertgen.sh sript../ertgen.sh Enter the following vlues when prompte. Prompt Enter Orgniztion Enter Orgniztionl Unit Enter Lolity/Town Enter Stte/Country Enter Country Coe Vlue Rinpole Engineering Sn Frniso CA US 22 VMwre, In.

23 Chpter 1 Region A Certifite Replement Enter ll of the host nmes for the solution for whih you re generting ertifites. Prout vrelize Automtion vrelize Orhestrtor vrelize Business Host Nmes for CSR Genertion vr01svr01.rinpole.lol vr01svr01.rinpole.lol vr01svr01.rinpole.lol vr01iws01.rinpole.lol vr01iws01.rinpole.lol vr01iws01.rinpole.lol vr01ims01.rinpole.lol vr01ims01.rinpole.lol vr01ims01.rinpole.lol vr01vro01.rinpole.lol vr01vro01.rinpole.lol vr01vro01.rinpole.lol vr01us01.rinpole.lol When prompte to Enter omin nme, enter rinpole.lol. The vrelize Certifite Genertion Tool genertes vrelize.sr file in the /tmp iretory. 3 Using sp, Filezill or Winsp, opy the vrelize.sr n vrelize.key files from the Linux host to the C:\mnul-erts\vRA iretory on the Winows host. 4 Renme vrelize.sr n vrelize.key to vr.sr n vr.key respetively. 5 Repet the proeure for vrelize Orhestrtor n vrelize Business. VMwre, In. 23

24 Certifite Replement Mnully Generte Key Pir n Certifite Signing Request for vrelize Opertions Mnger vrelize Opertions Mnger omes with efult self-signe ertifites tht re generte n signe t instlltion time. You n rete key pir n CSR, n use them to generte CA-signe ertifite on the 01sfo.sfo01.rinpole.lol AD server tht uthentites the nlytis luster of vrelize Opertions Mnger over TLS or SSL. 1 On your omputer, rete onfigurtion file for OpenSSL ertifite request genertion, lle vrops01.fg. Beuse ll noes in the luster shre the sme ertifite, the Sujet Alterntive Nme fiel, sujetaltnme, of the uploe ertifite must ontin FQDNs of ll noes n of the lo lner. For ommon nme, use the full omin nme of the lo lner. [ req ] efult_its = 4096 efult_keyfile = rui.key istinguishe_nme = req_istinguishe_nme enrypt_key = no prompt = no string_msk = nomstr req_extensions = v3_req [ v3_req ] siconstrints = CA:FALSE keyusge = igitlsignture, keyenipherment, tenipherment extenekeyusge = serverauth, lientauth sujetaltnme = DNS:vrops-luster-01, IP: , DNS:vropsluster-01.rinpole.lol, DNS:vrops-mstrn-01.rinpole.lol, DNS:vrops-mstrn-01, DNS:vropsrepln-02.rinpole.lol, DNS:vrops-repln-02, DNS:vrops-tn-03.rinpole.lol, DNS:vropstn-03 [ req_istinguishe_nme ] ountrynme = US stteorprovinenme = CA lolitynme = Plo Alto 0.orgniztionNme = Rin Pole In., orgniztionlunitnme = rinpole.lol ommonnme = vrops-luster-01.rinpole.lol 2 Log in to the Mngement vcenter Server y using the vsphere We Client. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor 24 VMwre, In.

25 Chpter 1 Region A Certifite Replement 3 Enle the SSH servie on the virtul ppline. Right-lik the vrops-mstrn-01 virtul ppline n selet Open Console to open the remote onsole to the ppline. Press ALT+F1 to swith to the ommn prompt. Log in using the following reentils. User nme Psswor Vlue root vrops_root_psswor Strt the SSH servie y running the ommn: servie ssh strt 4 Log in to vrops-mstrn-01.rinpole.lol y using Seure Shell (SSH) lient. Open n SSH onnetion to the virtul mhine vrops-mstrn-01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vrops_root_psswor 5 Crete su-iretory lle vrops01 in the root user's home iretory. mkir /root/vrops01/ 6 Copy the vrops01.fg file to the /root/vrops01 foler on the mster noe virtul ppline. You n use sp, FileZill or WinSCP. 7 From the /root/vrops01 foler, generte n RSA privte key tht is 4096 its long, n sve it s vrops01.key file. openssl genrs -out vrops01.key Use the vrops01.key privte key n the vrops01.fg onfigurtion file to rete CSR n sve it s vrops01.pem file. openssl req -new -key vrops01.key -out vrops01.pem -onfig vrops01.fg 9 Copy the vrops01.pem file to the C:\mnul-erts\vrops foler on the Winows host tht you use to ess the t enter. Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region A, on pge 27. VMwre, In. 25

26 Certifite Replement Generte Mnully Key Pir n Certifite Signing Request for vrelize Log Insight in Region A To rete CA-signe ertifite for vrelize Log Insight, generte ertifite signing request (CSR) on the virtul ppline for the mster noe n use the intermeite ertifite uthority tht is ville on the hil Ative Diretory (AD) server to sign the ertifite. 1 On your omputer, rete onfigurtion file for OpenSSL ertifite request genertion, lle vrlisfo.fg. Beuse ll noes in the luster shre the sme ertifite, the Sujet Alterntive Nme fiel, sujetaltnme, of the uploe ertifite must ontin the IP resses n FQDNs of ll noes n of the lo lner. For ommon nme, use the full omin nme of the integrte lo lner. The following n e use s n exmple to rete the ertifite request: [ req ] efult_its = 2048 efult_keyfile = rui.key istinguishe_nme = req_istinguishe_nme enrypt_key = no prompt = no string_msk = nomstr req_extensions = v3_req [ v3_req ] siconstrints = CA:FALSE keyusge = igitlsignture, keyenipherment, tenipherment extenekeyusge = serverauth, lientauth sujetaltnme = DNS:vrli-luster-01, DNS: vrli-luster-01.sfo01.rinpole.lol, DNS:vrlimstr-01.sfo01.rinpole.lol, DNS:vrli-mstr-01, DNS:vrli-wrkr-01.sfo01.rinpole.lol, DNS:vrli-wrkr-01, DNS:vrli-wrkr-02.sfo01.rinpole.lol, DNS:vrli-wrkr-02 [ req_istinguishe_nme ] ountrynme = US stteorprovinenme = CA lolitynme = Plo Alto orgniztionnme = Rinpole In., orgniztionlunitnme = rinpole.lol ommonnme = vrli-luster-01.sfo01.rinpole.lol 2 Log in to the mster noe of vrelize Log Insight y using Seure Shell (SSH) lient. Open n SSH onnetion to the virtul mhine vrli-mstr-01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vrli_mster_root_psswor 3 Crete su-iretory lle vrli in the root home iretory n nvigte to it. mkir /root/vrli /root/vrli 26 VMwre, In.

27 Chpter 1 Region A Certifite Replement 4 From the /root/vrli foler, generte n RSA privte key tht is 2048 its long, n sve it s vrli.key file. openssl genrs -out vrli.key Copy the vrli-sfo.fg to the /root/vrli foler on the mster noe virtul ppline. You n use SCP, FileZill, WinSCP or similr. 6 Use the vrli.key privte key n the vrli-sfo.fg onfigurtion file to rete CSR n sve it s vrli-sfo01.sr file to the /root/vrli foler. openssl req -new -key vrli.key -out vrli-sfo01.sr -onfig vrli-lx.fg The /root/vrli foler ontins the vrli-sfo.fg, vrli.key n vrli-sfo01.sr files. 7 Copy the vrli.key n vrli-sfo01.sr file to the C:\mnul-erts\vrli.sfo01 foler on the Winows host tht you use to ess your t enter. 8 Renme vrli.key to vrli-sfo01.key Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region A, on pge 27. Generte CA-Signe Certifites for the SDDC Mngement Components in Region A When you reple the efult ertifites of the SDDC mngement prouts, you n mnully generte ertifite files tht re signe y the intermeite Certifite Authority (CA). Prerequisites Crete Mirosoft Certifite Authority Templte. See Crete n A Mirosoft Certifite Authority Templte, on pge 7. Generte CSR for the ertifite tht you wnt to reple. You generte the CSR on the mhine where the ertifite is instlle. See Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region A, on pge 12. On the Winows host tht you use to ess the t enter, rete C:\mnul-erts foler with CSR files for prouts you nee to request ert for. See Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region A, on pge 12. Verify tht the Winows host tht you use to onnet to the t enter is onnete to the sfo01.rinpole.lol omin. 1 Log in to the Winows host tht hs ess to the AD server s n ministrtor. VMwre, In. 27

28 Certifite Replement 2 Sumit request n ownlo the ertifite hin tht ontins the CA-signe ertifite n the CA ertifite. Open We Browser n go to to open the We interfe of the CA server. Log in using the following reentils. User nme Psswor Vlue AD ministrtor _min_psswor e f g h Clik the Request ertifite link. Clik vne ertifite request. Open the CSR file.sr in plin text eitor. Copy everything from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- to the lipor. On the Sumit Certifite Request or Renewl Request pge, pste the ontents of the CSR file into the Sve Request ox. From the Certifite Templte rop-own menu, selet VMwre n lik Sumit. i j On the Certifite issue sreen, lik Bse 64 enoe. Clik the Downlo Certifite hin link n sve the ertifite hin file ertnew.p7 to the Downlos foler. 3 Export the mhine ertifite to the orret formt. Doule-lik the ertnew.p7 file to open it in the Mirosoft Certifite Mnger. Nvigte to ertnew.p7 > Certifites n notie the three ertifites. Right-lik the mhine ertifite n selet All Tsks > Export. In the Certifite Export Wizr, lik Next. 28 VMwre, In.

29 Chpter 1 Region A Certifite Replement e f g Selet Bse-64 enoe X.509 (.CER) n lik Next. Browse to C:\erts n speify the ertifite nme in the File nme text ox. Clik Next n lik Finish. The ertifite file is sve to the C:\erts foler. 4 Export the intermeite CA ertifite file to the orret formt. e f g Doule-lik the ertnew.p7 file to open it in the Mirosoft Certifite Mnger. Nvigte to ertnew.p7 > Certifites n notie the three ertifites. Right-lik the intermeite CA ertifite n selet All Tsks > Export. In the Certifite Export Wizr, lik Next. Selet Bse-64 enoe X.509 (.CER) n lik Next. Browse to C:\erts n enter Intermeite in the File nme text ox. Clik Next n lik Finish. The Intermeite.er file is sve to the C:\erts foler. 5 Export the root CA ertifite file in the orret formt. e Right-lik the root ertifite n selet All Tsks > Export. In the Certifite Export Wizr, lik Next. Selet Bse-64 enoe X.509 (.CER) n lik Next. Browse to C:\erts n enter Root64 in the File nme text ox. Clik Next n lik Finish. The Root64.er file is sve to the C:\erts foler. 6 Move the ertifite file to the following C:\mnul-erts\omponent foler uner the following file nmes. Mngement Component ESXi hosts for the mngement luster ESXi hosts for the mngement luster Pltform Servies Controller for the mngement luster vcenter Server for the mngement luster NSX Mnger for the mngement luster Trget Foler C:\mnulerts\mgmt01esx.sf o01 C:\mnulerts\omp01esx.sf o01 C:\mnulerts\sfo01ps01.sfo 01 C:\mnulerts\mgmt01v01.s fo01 C:\mnulerts\mgmt01nsxm 01.sfo01 Certifite File Nmes mgmt01esx01.er mgmt01esx02.er mgmt01esx03.er mgmt01esx04.er omp01esx01.er omp01esx02.er omp01esx03.er omp01esx04.er sfo01ps01.sfo01.er mgmt01v01.sfo01.e r mgmt01nsxm01.sfo01.er VMwre, In. 29

30 Certifite Replement Mngement Component Trget Foler Certifite File Nmes Pltform Servies Controller for the shre ege n ompute luster - - vcenter Server for the shre ege n ompute luster NSX Mnger for the shre ege n ompute luster vsphere Dt Protetion C:\mnulerts\omp01v01.s fo01 C:\mnulerts\omp01nsxm0 1.sfo01 C:\mnulerts\mgmt01vp01.sfo01 omp01v01.sfo01.er omp01nsxm01.sfo01. er vp.p7 Site Reovery Mnger - - vsphere Replition - - vrelize Automtion vrelize Orhestrtor vrelize Business vrelize Opertions Mnger vrelize Log Insight C:\mnulerts\vRA C:\mnulerts\vRO C:\mnulerts\vRB C:\mnulerts\vropsforVVD4.0 C:\mnulerts\vrli.sfo01 vr.er vro.er vr.er vrops-forvvd4.er vrli.sfo01.er 30 VMwre, In.

31 Chpter 1 Region A Certifite Replement 7 Generte ertifite hin file. Nvigte to the iretory C:\mnul-erts\omponent. For eh mngement omponent, run the following ommn to rete the ertifite hin file. Mngement Component Pltform Servies Controller for the mngement luster vcenter Server for the mngement luster NSX Mnger for the mngement luster Pltform Servies Controller for the shre ege n ompute luster vcenter Server for the shre ege n ompute luster NSX Mnger for the shre ege n ompute luster vsphere Dt Protetion Site Reovery Mnger vsphere Replition vrelize Automtion vrelize Orhestrtor vrelize Business vrelize Opertions Mnger vrelize Log Insight Certifite Chin File Nme sfo01ps01.sfo01.hin.er mgmt01v01.sfo01.hin.er mgmt01nsxm01.sfo01.hin.er Not pplile omp01v01.sfo01.hin.er omp01nsxm01.sfo01.hin.er Not pplile Not pplile Not pplile vr.hin.er vro.hin.er vr.hin.er Not pplile vrli-sfo01.hin.er opy own-ertifite-file+intermeite.er+root64.er omponent-hin-file For exmple, run the following ommn to generte ertifite hin file for the NSX Mnger for the mngement luster. opy mgmt01nsxm01.sfo01.er+intermeite.er+root64.er mgmt01nsxm01.sfo01.hin.er 8 Repet the proeure to generte signe ertifites for the other prouts. 9 For eh vcenter Server instne, rete ertifite hin file CACert.hin.er tht ontins the ertifites of the root n intermeite CA in the vcenter Server speifi foler. vcenter Server Mngement vcenter Server Compute vcenter Server Foler C:\mnul-erts\mgmt01v01.sfo01 C:\mnul-erts\omp01v01.sfo01 opy Intermeite.er+Root64.er CACert.hin.er VMwre, In. 31

32 Certifite Replement 10 Generte.pem file tht ontins the key file n the signer n owner ertifites. Copy the CACert.hin.er file to the following folers. C:\mnul-erts\vrops-forVVD4.0\ C:\mnul-erts\vrli.sfo01 C:\mnul-erts\vRA C:\mnul-erts\vRO C:\mnul-erts\vRB Generte vrops01-hin.pem file tht ontins the host ertifite with intermeite n root ertifites n the own privte key. C:\mnul-erts\vrops-forVVD4.0\ opy vrops-forvvd4.er+cacert.hin.er+vrops-forvvd4.key > vrops01-hin.pem Repet the step in the following folers. C:\mnul-erts\vrli.sfo01 C:\mnul-erts\vRA C:\mnul-erts\vRO C:\mnul-erts\vRB Reple Certifites of the Mngement Prouts in Region A After you generte ertifite for mngement prout in Region A tht is signe y the two-lyere ertifite uthority on the hil AD server in the region, reple the efult ertifite or n expire ertifite with newly-signe one on the prout instne in the region. Prerequisites Generte ertifite for the prouts in this vlite esign in one of the following wys: Use the VMwre Vlite Design Certifite Utility. See Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region A, on pge 9. Generte Certifite Signing Requests mnully n use them to hve the prout ertifites signe y the ertifite uthority on the hil AD server in Region A. See Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region A, on pge 12 n Generte CA-Signe Certifites for the SDDC Mngement Components in Region A, on pge Reple Certifites of the Virtul Infrstruture Components in Region A on pge 33 In this esign, you reple user-fing ertifites in Region A with ertifites tht re signe y Mirosoft Certifite Authority (CA). If the CA-signe ertifites of the mngement omponents expire fter you eploy the SDDC, you must reple them iniviully on eh ffete omponent. 2 Reple Certifites of the Clou Mngement Pltform Components in Region A on pge 51 After you generte signe ertifite for omponent of the Clou Mngement Pltform, reple it n upte it on the mngement omponents in the region to mintin seure onnetion. 3 Reple Certifites of the Opertions Mngement Components in Region A on pge 58 If the ertifite of vrelize Opertions Mnger or vrelize Log Insight expires, reple it n upte it on the mngement omponents in the region to mintin seure onnetion. 32 VMwre, In.

33 Chpter 1 Region A Certifite Replement Reple Certifites of the Virtul Infrstruture Components in Region A In this esign, you reple user-fing ertifites in Region A with ertifites tht re signe y Mirosoft Certifite Authority (CA). If the CA-signe ertifites of the mngement omponents expire fter you eploy the SDDC, you must reple them iniviully on eh ffete omponent. By efult, virtul infrstruture mngement omponents use TLS/SSL ertifites tht re signe y the VMwre Certifite Authority (VMCA). Infrstruture ministrtors onnet to ifferent SDDC omponents, suh s vcenter Server systems or Pltform Servies Controller from We rowser to perform onfigurtion, mngement n trouleshooting. The uthentiity of the network noe to whih the ministrtor onnets must e onfirme with vli TLS/SSL ertifite. You n use other ertifite uthorities oring to the requirements of your orgniztion. You o not reple ertifites for mhine-to-mhine ommunition. If neessry, you n mnully mrk these ertifites s truste. 1 Reple the Pltform Servies Controller Certifites in Region A on pge 33 You reple the mhine SSL ertifite on eh Pltform Servies Controller instne with ustom ertifite tht is signe y the ertifite uthority (CA). 2 Reple the vcenter Server Certifites in Region A on pge 37 Reple the ertifites on the Mngement vcenter Server n Compute vcenter Server n reonnet them to the other mngement omponents to upte the new ertifites on these omponents. 3 Reple the Defult Certifite with Custom Certifite on the ESXi Hosts in Region A on pge 43 Optionlly, fter you otin signe ertifite for the ESXi hosts in Region A, use it to reple the efult VMwre Certifite Authority (VMCA) signe ertifites on the hosts. 4 Reple the NSX Mnger Certifites in Region A on pge 46 After you reple the ertifites of ll Pltform Servies Controller instnes n ll vcenter Server instnes, reple the ertifites for the NSX Mnger instnes. 5 Reple the Certifite of vsphere Dt Protetion in Region A on pge 49 vsphere Dt Protetion omes with efult self-signe ertifite. Instll CA-signe ertifite tht uthentites vsphere Dt Protetion over HTTPS. Reple the Pltform Servies Controller Certifites in Region A You reple the mhine SSL ertifite on eh Pltform Servies Controller instne with ustom ertifite tht is signe y the ertifite uthority (CA). Sine the Pltform Servies Controller instnes re lo-lne, the mhine ertifite on oth instnes in the region must e the sme. The ertifite must hve ommon nme tht is equl to the lo-lne Fully Qulifie Domin Nme (FQDN). Eh Pltform Servies Controller FQDN n short nme, n the lo lne FQDN n short nme must e in the Sujet Alternte Nme (SAN) of the generte ertifite. You must repet this proeure twie: first on the Pltform Servies Controller for the Mngement vcenter Server, n then on the Pltform Servies Controller for the Compute vcenter Server. VMwre, In. 33

34 Certifite Replement Tle 1 1. Certifite-Relte Files on Pltform Servies Controllers Pltform Servies Controller Certifite File Nme Replement Orer mgmt01ps01.sfo01.rinpole.lol sfo01ps01.sfo01.key sfo01ps01.sfo01.3.pem (CertGenVVD) sfo01ps01.sfo01.hin.er (Mnul) hinroot64.er omp01ps01.sfo01.rinpole.lol sfo01ps01.sfo01.key sfo01ps01.sfo01.3.pem (CertGenVVD) sfo01ps01.sfo01.1.hin.er (Mnul) hinroot64.er First Seon 1 Log in to vcenter Server y using the vsphere We Client. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor 2 Disle the Pltform Servies Controller for the shre ege n ompute luster omp01ps01 in the lo lner to route ll trffi to the Pltform Servies Controller for the mngement luster mgmt01ps01. From the vsphere We Client Home menu, selet Network & Seurity. In the Nvigtor, selet NSX Eges. From the NSX Mnger rop-own menu, selet e f Doule-lik the SFO01PSC01 ege evie to open its network settings. On the Mnge t, lik the Lo Blner t n lik Pools. Selet pool-1 n lik Eit. 34 VMwre, In.

35 Chpter 1 Region A Certifite Replement g h Selet the omp01ps01 memer, lik Eit, selet Disle from the Stte rop-own menu n lik OK. Repet Step 2f n Step 2g to isle omp01ps01 in pool-2. 3 Disonnet the NSX Mnger instnes from the Pltform Servies Controller temporrily. Open We Browser n go to Log in using the following reentils User nme Psswor Vlue min nsx_mnger_min_psswor e Clik Mnge vcenter Registrtion Clik the Unonfigure utton next to Lookup Servie URL. Repet the steps on 4 Log in to the Pltform Servies Controller y using Seure Shell (SSH) lient. Open n SSH onnetion to mgmt01ps01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root mgmtps_root_psswor 5 Chnge the Pltform Servies Controller ommn shell to the Bsh shell. shell hsh -s /in/sh root 6 Copy the generte ertifite files sfo01ps01.sfo01.key, sfo01ps01.sfo01.3.pem n hinroot64.er from the Winows host to the /tmp/ssl iretory on the Pltform Servies Controller. Use sp, FileZill or WinSCP to opy the files. 7 Renme sfo01ps01.sfo01.3.pem to sfo01ps01.sfo01.1.hin.er. 8 A the root ertifite to the VMwre Enpoint Certifite Store s truste root ertifite using the following ommn. Enter the vcenter Single Sign-On psswor when prompte. /usr/li/vmwre-vmf/in/ir-li trusteert pulish --hin --ert /tmp/ssl/hinroot64.er 9 Reple the ertifite on the Pltform Servies Controller. Strt the vsphere Certifite Mnger utility on the Pltform Servies Controller. /usr/li/vmwre-vm/in/ertifite-mnger e Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite). Enter the efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min_psswor psswor. Selet Option 2 (Import ustom ertifite(s) n key(s) to reple existing Mhine SSL ertifite). When prompte for the ustom ertifite, enter /tmp/ssl/sfo01ps01.sfo01.1.hin.er. VMwre, In. 35

36 Certifite Replement f g When prompte for the ustom key, enter /tmp/ssl/sfo01ps01.sfo01.key. When prompte for the signing ertifite, enter /tmp/ssl/chinroot64.er. h When prompte to ontinue the opertion, enter Y. Wit until the Pltform Servies Controller servies restrt suessfully. 10 Vlite tht the new ertifite hs een instlle suessfully. Open We Browser n go to Verify tht the We rowser shows the new ertifite. 11 Restrt VAMI servie to upte ertifites for the ppline mngement interfe. Go k to the mgmt01pso1.sfo01.rinpole.lol SSH terminl. Enter the following ommn to upte ertifites for the ppline mngement interfe. /et/init./vmi-lighttp restrt 12 Swith the shell k to the ppline shell. hsh -s /in/pplinesh root 13 Repet Step 4 to Step 11 to reple the ertifite on omp01ps01.sfo01.rinpole.lol. 14 Restrt the servies on the Mngement vcenter Server. Open n SSH onnetion to mgmt01v01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlues root mgmtv_root_psswor Swith from the vcenter Server Appline ommn shell to the Bsh shell. shell Restrt vcenter Server servies y using the following ommn. servie-ontrol --stop --ll servie-ontrol --strt --ll 15 Restore the lo lner onfigurtion. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor From the vsphere We Client Home menu, selet Network & Seurity. In the Nvigtor, selet NSX Eges. e From the NSX Mnger rop-own menu, selet f g Doule-lik the SFO01PSC01 ege evie to open its network settings. On the Mnge t, lik the Lo Blner t n lik Pools. 36 VMwre, In.

37 Chpter 1 Region A Certifite Replement h i j Selet pool-1 n lik Eit. Selet the omp01ps01 memer, lik Eit, selet Enle from the Stte rop-own menu n lik OK. Repet Step 15h n Step 15i to enle omp01ps01 in pool Repet Step 14 to restrt the servies on the Compute vcenter Server omp01v01.sfo01.rinpole.lol in Region A n on the vcenter Server instnes mgmt01v51.lx01.rinpole.lol n omp01v51.lx01.rinpole.lol in Region B. Wht to o next If you reple only the ertifite of the Pltform Servies Controller instnes, reonnet the NSX Mngers to the Pltform Servies Controller lo lner n to vcenter Server fter you instll the ustom ertifites on the noes. See Connet NSX Mnger to the Mngement vcenter Server in Region A, on pge 39. If you reple the ertifites of vcenter Server fter those of the Pltform Servies Controllers, see Reple the vcenter Server Certifite Files in Region A, on pge 37. Reple the vcenter Server Certifites in Region A Reple the ertifites on the Mngement vcenter Server n Compute vcenter Server n reonnet them to the other mngement omponents to upte the new ertifites on these omponents. 1 Reple the vcenter Server Certifite Files in Region A on pge 37 After you reple the Pltform Servies Controller ertifite, you reple the vcenter Server mhine SSL ertifite. You generte vcenter Server ertifite mnully or y using the CertGenVVD tool. 2 Connet NSX Mnger to the Mngement vcenter Server in Region A on pge 39 After you reple the ertifites of the Pltform Servies Controller n vcenter Server instnes in Region A, you reonnet the NSX Mngers to the vcenter Server noes in the region. 3 Connet vsphere Dt Protetion to vcenter Server After Certifite Replement in Region A on pge 40 After you reple the ertifites on the vcenter Server noes, onnet vsphere Dt Protetion to the Mngement vcenter Server to upte the vcenter Server ertifite on vsphere Dt Protetion. 4 Upte the vcenter Server Certifites on the Clou Mngement Pltform in Region A on pge 41 After you reple the ertifites on the vcenter Server instnes in Region A, reonnet vrelize Orhestrtor to vcenter Server. 5 Upte the vcenter Server Certifites on vrelize Opertions Mnger in Region A on pge 42 After you hnge the ertifite of the vcenter Server instnes in Region A, upte the ertifite on the onnete vrelize Opertions Mnger noe y reonneting the vcenter Apter instnes. Reple the vcenter Server Certifite Files in Region A After you reple the Pltform Servies Controller ertifite, you reple the vcenter Server mhine SSL ertifite. You generte vcenter Server ertifite mnully or y using the CertGenVVD tool. You reple ertifites twie, one for eh vcenter Server instne. You n strt repling ertifites on Mngement vcenter Server mgmt01v01.sfo01.rinpole.lol first. VMwre, In. 37

38 Certifite Replement Tle 1 2. Certifite-Relte Files on the vcenter Server Instnes vcenter Server FQDN Files for Certifite Replement Replement Orer mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole. lol mgmt01v01.sfo01.key mgmt01v01.sfo01.3.pem (CertGenVVD2.1) mgmt01v01.sfo01.1.hin.er (Mnully) hinroot64.er omp01v01.sfo01.key omp01v01.sfo01.3.pem (CertGenVVD2.1) omp01v01.sfo01.1.hin.er (Mnully) hinroot64.er After you reple the ertifite on the mngement Pltform Servies Controller. After you reple the ertifite on the ompute Pltform Servies Controller. 1 Use the sp ommn, FileZill, or WinSCP to opy the mhine n CA ertifite files to the /tmp/ssl iretory on the Mngement vcenter Server. 2 Log in to the vcenter Server instne y using Seure Shell (SSH) lient. Open n SSH onnetion to the vcenter Server Appline mgmt01v01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root venter_server_root_psswor 3 Reple the CA-signe ertifite on the vcenter Server instne. A the root ertifite to the VMwre Enpoint Certifite Store s Truste Root Certifite using the following ommn n enter the vcenter Single Sign-On psswor when prompte. /usr/li/vmwre-vmf/in/ir-li trusteert pulish --hin -- ert /tmp/ssl/hinroot64.er Renme mgmt01v01.sfo01.3.pem to mgmt01v01.sfo01.1.hin.er. mv /tmp/ssl/mgmt01v01.sfo01.3.pem /tmp/ssl/mgmt01v01.sfo01.1.hin.er Strt the vsphere Certifite Mnger utility on the vcenter Server instne. /usr/li/vmwre-vm/in/ertifite-mnger e Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite), enter the efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min_psswor psswor. When prompte for the Infrstruture Server IP, enter the IP ress of the Pltform Servies Controller tht is onnete to this vcenter Server instne. Option IP Aress of Connete Pltform Servies Controller mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol VMwre, In.

39 Chpter 1 Region A Certifite Replement f g Selet Option 2 (Import ustom ertifite(s) n key(s) to reple existing Mhine SSL ertifite). When prompte, provie the full pth to the ustom ertifite, the root ertifite file n the key file tht you generte erlier, n onfirm the import with Yes (Y). vcenter Server mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol Input to the vsphere Certifite Mnger Utility Plese provie vli ustom ertifite for Mhine SSL. File : /tmp/ssl/mgmt01v01.sfo01.1.hin.er Plese provie vli ustom key for Mhine SSL. File : /tmp/ssl/mgmt01v01.sfo01.key Plese provie the signing ertifite of the Mhine SSL ertifite. File : /tmp/ssl/hinroot64.er Plese provie vli ustom ertifite for Mhine SSL. File : /tmp/ssl/omp01v01.sfo01.1.hin.er Plese provie vli ustom key for Mhine SSL. File : /tmp/ssl/omp01v01.sfo01.key Plese provie the signing ertifite of the Mhine SSL ertifite. File : /tmp/ssl/hinroot64.er 4 After Sttus shows 100% Complete, wit severl minutes until ll vcenter Server servies re restrte. 5 Log into the vsphere We lient to verify tht ertifite replement is suessful. Open We rowser n go to Log in using the following reentil s User nme Psswor Vlues ministrtor@vsphere.lol vsphere_min_psswor 6 After you reple the ertifite on the mgmt01v01.sfo01.rinpole.lol vcenter Server, repet the proeure to reple the ertifite on the ompute vcenter Server omp01v01.sfo01.rinpole.lol. Connet NSX Mnger to the Mngement vcenter Server in Region A After you reple the ertifites of the Pltform Servies Controller n vcenter Server instnes in Region A, you reonnet the NSX Mngers to the vcenter Server noes in the region. 1 Log in to the Mngement NSX Mnger ppline user interfe. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min nsx_mnger_min_psswor 2 Clik Mnge vcenter Registrtion. 3 Uner Lookup Servie, lik Eit. VMwre, In. 39

40 Certifite Replement 4 In the Lookup Servie ilog ox, enter the following settings n lik OK. Lookup Servie IP Vlue for Both NSX Mngers sfo01ps01.sfo01.rinpole.lol Lookup Servie Port 443 SSO Aministrtor User Nme Psswor ministrtor@vsphere.lol vsphere_min_psswor 5 In the Trust Certifite? ilog ox, lik Yes. 6 Uner vcenter Server, lik Eit. 7 In the vcenter Server ilog ox, enter the following settings, n lik OK. Vlue for NSX Mnger for the Mngement Cluster Vlue for NSX Mnger for the Shre Ege n Compute Cluster vcenter Server mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol vcenter User Nme sv-nsxmnger@rinpole.lol sv-nsxmnger@rinpole.lol Psswor sv-nsxmnger_psswor sv-nsxmnger_psswor 8 In the Trust Certifite? ilog ox, lik Yes. 9 Wit for the Sttus initors for the Lookup Servie n vcenter Server to hnge to the Connete sttus. 10 Repet the proeure to onnet NSX Mnger for the shre ege n ompute luster to the Pltform Servies Controller lo lner n Compute vcenter Server. Connet vsphere Dt Protetion to vcenter Server After Certifite Replement in Region A After you reple the ertifites on the vcenter Server noes, onnet vsphere Dt Protetion to the Mngement vcenter Server to upte the vcenter Server ertifite on vsphere Dt Protetion. You reonnet vcenter Server to vsphere Dt Protetion to instll the new ertifite of vcenter Server. 1 Log in to vcenter Server y using the vsphere We Client. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor 2 On the vsphere We Client Home pge, lik the VDP ion. 3 On the Welome to vsphere Dt Protetion pge, selet mgmt01vp01 from the VDP Appline ropown menu n lik Connet. 40 VMwre, In.

41 Chpter 1 Region A Certifite Replement Upte the vcenter Server Certifites on the Clou Mngement Pltform in Region A After you reple the ertifites on the vcenter Server instnes in Region A, reonnet vrelize Orhestrtor to vcenter Server. 1 Reonnet vrelize Orhestrtor to vcenter Server. Open We Browser n go to Clik Strt Orhestrtor Client. On the VMwre vrelize Orhestrtor login pge, log in to the vrelize Orhestrtor Host A y using the following host nme n reentils. Host nme User nme Psswor Vlue vr01vro01.rinpole.lol:8281 sv-vr sv-vr-psswor e f g h In the left pne, lik Workflows, n nvigte to Lirry > vcenter > Configurtion. Right-lik the Upte vcenter Server instne workflow n lik Strt Workflow. From the vcenter Server instne rop-own menu, selet n lik Next. Enter the psswor for the sv-vro@rinpole.lol user ount n lik Sumit. Clik Yes to ignore the ertifite wrnings n lik Next. 2 Reonnet vrelize Business with the Compute vcenter Server. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue root vr_olletor_root_psswor Clik Mnge Privte Clou Connetions, selet vcenter Server, selet the omp01v01.sfo01.rinpole.lol entry n lik the Eit ion. In the Eit vcenter Server Connetion ilog ox, enter the psswor for the svvr@rinpole.lol user n lik Sve. VMwre, In. 41

42 Certifite Replement e f In the SSL Certifite wrning ilog ox, lik Instll. In the Suess ilog ox, lik OK. 3 Rerete the vsphere enpoint in vrelize Automtion. Open We rowser n go to Log in using the following reentils. User nme Psswor Domin Vlue it-tenntmin it-tenntmin_psswor rinpole.lol Nvigte to Infrstruture > Enpoints > Creentils, selet omp01v01sfo01 min n lik Eit. On the Creentils pge, enter the psswor for the vrelize Automtion reentil for the ministrtor of omp01v01.sfo01.rinpole.lol, n lik Sve. Nme Desription User Nme Psswor Vlue omp01v01sfo01 min Aministrtor of omp01v01.sfo01.rinpole.lol sv-vr@rinpole.lol sv_vr_psswor e f g h Nvigte to Infrstruture > Enpoints > Enpoints. Hve your mouse over omp01v01.sfo01.rinpole.lol n lik Eit from the menu. On the Eit Enopint - vsphere (vcenter) pge, lik OK. A ertifite wrning shoul popup, lik OK to ept the new ertifite Upte the vcenter Server Certifites on vrelize Opertions Mnger in Region A After you hnge the ertifite of the vcenter Server instnes in Region A, upte the ertifite on the onnete vrelize Opertions Mnger noe y reonneting the vcenter Apter instnes. 1 Log in to vrelize Opertions Mnger y using the ministrtion onsole. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrops_min_psswor 2 In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Certifites. 3 Selet the row tht ontins CN=mgmt01v01.sfo01.rinpole.lol n lik the Delete ion. 42 VMwre, In.

43 Chpter 1 Region A Certifite Replement 4 In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Solutions. 5 Selet the VMwre vsphere solution n lik Configure. 6 In the Mnge Solutions ilog ox, selet mgmt01v01-sfo01, lik Test Connetion, ept the new ertifite of the Mngement vcenter Server n lik Sve s. 7 Repet the proeure to elete the ertifite tht is instlle for the Compute vcenter Server omp01v01.sfo01.rinpole.lol n reonnet vrelize Opertions Mnger to the Compute vcenter Server to instll the new ertifite. Reple the Defult Certifite with Custom Certifite on the ESXi Hosts in Region A Optionlly, fter you otin signe ertifite for the ESXi hosts in Region A, use it to reple the efult VMwre Certifite Authority (VMCA) signe ertifites on the hosts. 1 Chnge the ertifite moe for the ESXi hosts in the mngement luster. By efult the ESXi hosts re utomtilly provisione with VMCA ertifites when they re onnete to VC. We will hnge the ertifite moe so VC will not push VMCA ertifites on to ESXi hosts when they re e to VC. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vshpere_min_psswor e In the Nvigtor, uner Hosts n Cluster, selet mgmt01v01.sfo01.rinpole.lol, n lik the Configure t. Uner s, lik Avne s n lik Eit. In the filter ox, enter ertmgmt n press Enter to isply only ertifite mngement properties. VMwre, In. 43

44 Certifite Replement f Chnge the vlue of the vpx.ertmgmt.moe property to ustom n lik OK. g h From the vsphere We Client Home menu, selet Aministrtion, n uner Deployment on the Aministrtion pge, selet System Configurtion. Uner System Configurtion, selet Servies, selet VMwre vcenter Server (mgmt01v01.sfo01.rinpole.lol ) n selet Ations > Restrt. 2 If you hve not reple the ertifite of the mgmt01v01.sfo01.rinpole.lol vcenter Server, the CA root ertifite to the vcenter Server TRUSTED_ROOTS store. If you lrey reple the ertifite for mgmt01v01.sfo01.rinpole.lol, you e the root ertifite to the TRUSTED_ROOTS stores. Open n SSH onnetion to mgmt01v01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root mgmtv_root_psswor Copy the Root64.er hin file from the Winows host tht you use to ess the t enter to the temporry iretory /tmp/ssl on the vcenter Server Appline. You n use sp, FileZill or WinSCP. Run the following ommn. /usr/li/vmwre-vmf/in/ves-li entry rete --store TRUSTED_ROOTS --lis RinpoleCA.rt --ert /tmp/ssl/hinroot64.er 44 VMwre, In.

45 Chpter 1 Region A Certifite Replement 3 Reple the ertifites on ESXi hosts. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vshpere_min_psswor e f g h From the Home menu of the vsphere We Client, selet Hosts n Clusters. Uner the SFO01-Mgmt01 t enter, right-lik the mgmt01esx01.sfo01.rinpole.lol vcenter Server ojet n selet Mintenne Moe > Enter Mintenne Moe. Selet Move powere-off n suspene virtul mhines to other hosts in the luster n lik OK. After the mintenne tsk is omplete, open n SSH onnetion to the mgmt01esx01.sfo01.rinpole.lol host. Trnsfer mgmt01esx01.key n mgmt01esx01.1.er from the Winows host tht you use to ess the t enter to the /et/vmwre/ssl iretory on the host. Run the following ommns. mv rui.rt orig.rui.rt mv rui.key orig.rui.key mv mgmt01esx01.key rui.key mv mgmt01esx01.1.er rui.rt i j k l m Run the ui ommn to open the Diret Console User Interfe (DCUI). Press the F2 key to ess the System Customiztion menu. Selet Trouleshooting Options n press Enter. Selet Restrt Mngement Agents n press Enter. Press F11 key to onfirm the restrt. 4 Verify tht the ustom ertifite is instlle. Open We rowser n go to Verify tht the ertifite returne y the host is signe y Rinpole inste of y VMwre. 5 Exit the mintenne moe of the host. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vshpere_min_psswor e From the Home menu, selet Hosts n Clusters. Uner the SFO01-Mgmt01 t enter, right-lik the mgmt01esx01.sfo01.rinpole.lol vcenter Server ojet n selet. Mintenne Moe > Exit Mintenne Moe Mke sure tht no wrning messge out n untruste mgmt01esx01.sfo01.rinpole.lol ertifite ppers. VMwre, In. 45

46 Certifite Replement 6 Repet Step 3 to Step 5 for the rest of the ESXi hosts. ESX hosts Mnge y Certifite file nmes mgmt01esx02.sfo01.rinpole.lol mgmt01v01.sfo01.rinpole.lol mgmt01esx02.key mgmt01esx02.1.er mgmt01esx03.sfo01.rinpole.lol mgmt01v01.sfo01.rinpole.lol mgmt01esx03.key mgmt01esx03.1.er mgmt01esx04.sfo01.rinpole.lol mgmt01v01.sfo01.rinpole.lol mgmt01esx04.key mgmt01esx04.1.er omp01esx01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol omp01esx01.key omp01esx01.1.er omp01esx02.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol omp01esx02.key omp01esx02.1.er omp01esx03.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol omp01esx03.key omp01esx03.1.er omp01esx04.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol omp01esx04.key omp01esx04.1.er Reple the NSX Mnger Certifites in Region A After you reple the ertifites of ll Pltform Servies Controller instnes n ll vcenter Server instnes, reple the ertifites for the NSX Mnger instnes. You reple ertifites twie, one for eh NSX Mnger. You first strt repling ertifites on the NSX Mnger for the mgmt01nsxm01.sfo01.rinpole.lol mngement luster. Tle 1 3. Certifite-Relte Files on the NSX Mnger Instnes in Region A NSX Mnger FQDN Certifite File Nme Replement Time mgmt01nsxm01.sfo01.rinpole.lol mgmt01nsxm01.sfo01.hin.er from mnul genertion mgmt01nsxm01.sfo01.4.p12 from the utomtion genertion omp01nsxm01.sfo01.rinpole.lol omp01nsxm01.sfo01.hin.er from mnul genertion omp01nsxm01.sfo01.4.p12 from the utomtion genertion After you reple the ertifite on the Mngement vcenter Server After you reple the ertifite on the Compute vcenter Server 1 On the Winows host tht hs ess to the t enter, log in to the NSX Mnger We interfe. Open We rowser n go to following URL. NSX Mnger NSX Mnger for the mngement luster NSX Mnger for the shre ompute n ege luster URL Log in using the following reentils. Vlue User nme min Psswor nsx_mnger_min_psswor 46 VMwre, In.

47 Chpter 1 Region A Certifite Replement 2 On the Mnge t, lik SSL Certifites, lik Import n provie the ertifite hin file. 3 Restrt the NSX Mnger to propgte the CA-signe ertifite. In the right orner of the NSX Mnger pge, lik the s ion. From the rop-own menu, selet Reoot Appline. 4 Re-register the NSX Mnger to the Mngement vcenter Server. Open We rowser n go to the NSX Mnger We interfe. NSX Mnger for the mngement luster NSX Mnger for the shre ompute n ege luster Vlue Log in using the following reentils. Vlue User nme min Psswor nsx_mngr_min_psswor e Clik Mnge vcenter Registrtion. Uner Lookup Servie, lik the Eit utton. In the Lookup Servie ilog ox, enter the following settings, n lik OK. Vlue Lookup Servie IP sfo01ps01.sfo01.rinpole.lol Lookup Servie Port 443 SSO Aministrtor User Nme ministrtor@vsphere.lol Psswor vsphere_min_psswor f g h In the Trust Certifite? ilog ox, lik Yes. Uner vcenter Server, lik the Eit utton. In the vcenter Server ilog ox, enter the following settings, n lik OK. Vlue for the NSX Mnger for the Mngement Cluster Vlue for the NSX Mnger for the Shre Ege n Compute Cluster vcenter Server mgmt01v01.sfo01.rinpole.lol omp01v01.sfo01.rinpole.lol vcenter User Nme Psswor sv-nsxmnger@rinpole.lol sv-nsxmnger_psswor i j In the Trust Certifite? ilog ox, lik Yes. Wit until the Sttus initors for the Lookup Servie n vcenter Server hnge to Connete. 5 Repet the steps for the NSX Mnger for the shre ompute n ege luster. VMwre, In. 47

48 Certifite Replement 6 Reonnet to the seonry NSX Mnger instnes in Region B. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor e f g h i j From the vsphere We Client Home menu, selet Networking & Seurity. Clik Instlltion in the Nvigtor. On the Mngement t, selet the instne from the NSX Mnger menu. If primry n seonry noes re not syning orretly Selet Ations > Disonnet from Primry NSX Mnger. On the Mngement t, selet the instne from the NSX Mnger rop-own menu. Selet Ations > A Seonry NSX Mnger. In the A Seonry NSX Mnger ilog ox, enter the following settings n lik OK. Vlue NSX Mnger User nme Psswor Confirm Psswor min mgmtnsx_min_psswor mgmtnsx_min_psswor k l In the Trust Certifite onfirmtion ilog ox, lik Yes. Repet Step 6e to Step 6k for the NSX Mnger instnes for the shre ege n ompute luster. Reonnet the seonry NSX Mnger for the shre ege n ompute luster to the primry NSX Mnger for the shre ege n ompute luster. 7 Reonnet the NSX Mnger instnes to vrelize Opertions Mnger. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrops_min_psswor e f g In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Certifites. Selet the row tht ontins CN=mgmt01nsxm01.sfo01.rinpole.lol n lik the Delete ion. Selet the row tht ontins CN=omp01nsxm01.sfo01.rinpole.lol n lik the Delete ion. In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Solutions. From the solution tle on the Solutions pge, selet the Mngement Pk for NSX-vSphere solution, n lik the Configure ion t the top. 48 VMwre, In.

49 Chpter 1 Region A Certifite Replement h i j In the Mnge Solutions ilog ox, from the Apter Type tle t the top, selet NSX-vSphere Apter. Clik the mgmt01nsxm01-sfo01 pter instne, lik Test Connetion, ept the new ertifite n lik Sve settings. Clik the omp01nsxm01-sfo01 pter instne, lik Test Connetion, ept the new ertifite n lik Sve settings. Reple the Certifite of vsphere Dt Protetion in Region A vsphere Dt Protetion omes with efult self-signe ertifite. Instll CA-signe ertifite tht uthentites vsphere Dt Protetion over HTTPS. Instll CertGenVVD-Generte Certifite on vsphere Dt Protetion in Region A on pge 49 After you use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites for the SDDC mngement omponents, reple the efult VMwre-signe ertifite on vsphere Dt Protetion in Region A with the ertifite tht is generte y CertGenVVD. Instll Mnully Generte Certifite on vsphere Dt Protetion in Region A on pge 50 Reple the ertifite on vsphere Dt Protetion in Region A with the ertifite tht is signe y the Mirosoft CA on the 01sfo.sfo01.rinpole.lol AD server. Instll CertGenVVD-Generte Certifite on vsphere Dt Protetion in Region A After you use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites for the SDDC mngement omponents, reple the efult VMwre-signe ertifite on vsphere Dt Protetion in Region A with the ertifite tht is generte y CertGenVVD. Prerequisites Generte the Mirosoft CA-signe ertifite y using the CertGenVVD tool. See Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region A, on pge 9. 1 Copy the.keystore file tht CertGenVVD tool generte to the /root foler on the vsphere Dt Protetion virtul ppline. You n use sp, FileZill or WinSCP. 2 Log in to the vsphere Dt Protetion ppline. Open n SSH onnetion to the virtul mhine mgmt01vp01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 3 Restrt ll vsphere Dt Protetion servies y running the following ommns. pntl stop ll pntl strt ll 4 Run the Fingerprint.sh sript to upte the vsphere Dt Protetion server thumprint isplye in the VM onsole welome sreen. /usr/lol/vmr/in/fingerprint.sh VMwre, In. 49

50 Certifite Replement Instll Mnully Generte Certifite on vsphere Dt Protetion in Region A Reple the ertifite on vsphere Dt Protetion in Region A with the ertifite tht is signe y the Mirosoft CA on the 01sfo.sfo01.rinpole.lol AD server. 1 On the Winows host tht hs ess to the t enter, opy the vp.p7 ertifite file to the /root foler on the vsphere Dt Protetion virtul ppline. You n use sp, FileZill or WinSCP. 2 Log in to the vsphere Dt Protetion ppline. Open n SSH onnetion to the virtul mhine mgmt01vp01.sfo01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 3 Verify tht the vsphere Dt Protetion servies re stoppe. emwepp.sh --test If the servies re running, stop them y running the following ommn. emwepp.sh --stop 4 Import the ertifite in the vsphere Dt Protetion keystore. Run the following onsole ommn. /usr/jv/ltest/in/keytool -import -lis tomt -keystore /root/.keystore - file /root/vp.p7 When prompte for the keystore psswor, enter hngeit. When prompte to trust the ertifite, type yes n press Enter. 50 VMwre, In.

51 Chpter 1 Region A Certifite Replement 5 Verify tht the ertifite is instlle suessfully. Run the following ommn. /usr/jv/ltest/in/keytool -list -v -keystore /root/.keystore -storepss hngeit - keypss hngeit grep tomt Verify tht the output ontins Alis nme: tomt. 6 Run the Fingerprint.sh sript to upte the vsphere Dt Protetion server thumprint tht is isplye in the VM onsole welome sreen. /usr/lol/vmr/in/fingerprint.sh This sript oes not return ny output. 7 Strt the vsphere Dt Protetion servies. emwepp.sh --strt Reple Certifites of the Clou Mngement Pltform Components in Region A After you generte signe ertifite for omponent of the Clou Mngement Pltform, reple it n upte it on the mngement omponents in the region to mintin seure onnetion. 1 Reple vrelize Automtion Certifite in Region A on pge 52 Repling the existing ertfites for ll vrelize Automtion Servies from the vrelize Automtion Mngement Console 2 Upte the vrelize Automtion Certifite on vrelize Orhestrtor n vrelize Business in Region A on pge 53 After you upte the vrelize Automtion ertifite, reonnet vrelize Orhestrtor n vrelize Business to vrelize Automtion to instll the new ertifite. 3 Upte the vrelize Automtion Certifite on vrelize Opertions Mnger on pge 55 After you hnge the ertifite of vrelize Automtion, upte the ertifite on vrelize Opertions Mnger y reonneting the vrelize Automtion Apter. 4 Reple the Certifite of vrelize Orhestrtor in Region A on pge 56 Import the generte ustom ertifites to vrelize Orhestrtor from the vrelize Orhestrtor Control Center. You must import the ertifites on oth of the vrelize Orhestrtor virtul mhines. 5 Certifite Replement for vrelize Business Server in Region A on pge 56 Reple the existing ertifite of vrelize Business with new one using the vrelize Business ppline mngement onsole. VMwre, In. 51

52 Certifite Replement Reple vrelize Automtion Certifite in Region A Repling the existing ertfites for ll vrelize Automtion Servies from the vrelize Automtion Mngement Console 1 Log in to the vrelize Automtion ppline mngement onsole. Open We Browser n go to Log in using the following reentils. User nme Psswor Vlue root vr_ppa_root_psswor 2 On vra s t, lik the Dtse t. 3 If vr01svr01.rinpole.lol is the MASTER noe, log in to using the root user nme n the vr_ppb_root_psswor psswor inste. 4 On vra s t, lik the Host s t. 5 Uner SSL Configurtion, selet Import next Certifite Ation. 6 From text eitor on the Winows host tht you use to ess the t enter, opy the ontent of the following ertifite files n pste it in the orresponing text oxes in the user interfe, n lik Sve s. Soure Content vr.key vr.hin.pem Pssphrse tht you optionlly entere t genertion Trget Text Box RSA Privte Key Certifite Chin Pssphrse 52 VMwre, In.

53 Chpter 1 Region A Certifite Replement 7 Clik the Certifites t n repet the proeure to onfigure the IS We server n IS Mnger Servie with the new ertifite etils. IS Component IS We server IS Mnger Servie Component Type IS We Mnger Servie Upte the vrelize Automtion Certifite on vrelize Orhestrtor n vrelize Business in Region A After you upte the vrelize Automtion ertifite, reonnet vrelize Orhestrtor n vrelize Business to vrelize Automtion to instll the new ertifite. 1 Upte the vrelize Automtion ertifite in the omponent registry uthentition with vrelize Automtion for vrelize Orhestrtor. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue root hosta_root_psswor VMwre, In. 53

54 Certifite Replement e f g On the Home pge, uner Mnge lik Configure Authentition Provier. On the Authentition Provier t, lik Unregister next to Host ress for the vrelize Automtion moe n lik Unregister from the Ientity servie setion. Clik Connet to register gin vrelize Automtion s n uthentition provier, n in the Ientity servie lik Register. In the Amin group text ox, enter vro n lik Serh. From the rop-own menu, selet rinpole.lol\ug-vroamins n lik Sve Chnges. h In the restrt messge tht ppers on the Authentition Provier t, lik the Strtup Options link n on the Strtup Options pge lik Restrt. 2 Upte the vrelize Automtion ertifite on vrelize Business. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue root vr_server_root_psswor On Registrtion t, lik the vra t, enter the following reentils to register with the vrelize Automtion server. Hostnme SSO Defult Tennt SSO Amin User SSO Amin Psswor Aept "vrelize Automtion" ertifite Vlue vr01svr01.rinpole.lol rinpole ministrtor vr_ministrtor_psswor Deselete Clik Register to onnet to vrelize Automtion n get its ertifite. A filure messge ppers t the top of the pge. Wit until the SSO Sttus hnges to The ertifite of "vrelize Automtion" is not truste. Plese view n ept to register. 54 VMwre, In.

55 Chpter 1 Region A Certifite Replement e f Clik the View "vrelize Automtion" ertifite link to ownlo the vrelize Automtion ertifite. Selet the Aept "vrelize Automtion" ertifite hek ox n lik Register. SSO Sttus hnges to Connete to vrelize Automtion. Upte the vrelize Automtion Certifite on vrelize Opertions Mnger After you hnge the ertifite of vrelize Automtion, upte the ertifite on vrelize Opertions Mnger y reonneting the vrelize Automtion Apter. 1 Log in to vrelize Opertions Mnger y using the ministrtion onsole. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrops_min_psswor 2 In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Certifites. 3 Selet the row tht ontins CN=vr01svr01.rinpole.lol n lik the Delete ion. 4 In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Solutions. 5 Selet the vrelize Automtion Mngement Pk solution n lik Configure. 6 In the Mnge Solutions ilog ox, selet vrelize Automtion Apter, lik Test Connetion, ept the new ertifite n lik Sve s. VMwre, In. 55

56 Certifite Replement Reple the Certifite of vrelize Orhestrtor in Region A Import the generte ustom ertifites to vrelize Orhestrtor from the vrelize Orhestrtor Control Center. You must import the ertifites on oth of the vrelize Orhestrtor virtul mhines. 1 Log in to the vrelize Orhestrtor Control Center. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue root hosta_root_psswor 2 From the Home pge, uner Mnge, lik Certifites. 3 Clik the Orhestrtor Server SSL Certifite t, n lik Import > Import from PEM-enoe file. 4 Browse to the vro.2.hin.pem file in the vro foler on your lol mhine. 5 In the Key Psswor text ox, enter the vro_vrelize_full_pem_pss psswor tht you entere uring ertifite genertion n lik Import. 6 Restrt the vrelize Orhestrtor ppline for the hnges to tke effet. From the Home pge, uner Mnge, lik Strtup Options. On the Strtup Options pge, lik Restrt. 7 Upte the ertifite on vrelize Automtion. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor vr_ministrtor_psswor On the Server Configurtion pge, selet the Use n externl Orhestrtor server rio utton, n lik Test Connetion. Certifite Replement for vrelize Business Server in Region A Reple the existing ertifite of vrelize Business with new one using the vrelize Business ppline mngement onsole. 1 Log in to the vrelize Business Server ppline mngement onsole. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue root vr_server_root_psswor 56 VMwre, In.

57 Chpter 1 Region A Certifite Replement 2 Clik the Aministrtion t n lik SSL. 3 On the Reple SSL Certifite pge, selet Import PEM enoe Certifite from the Choose moe rop-own menu. 4 Enter the vlues from the generte ertifite for vrelize Business n lik Reple Certifite. Use the vr.key file s the RSA Privte Key (.key) n the vr.3.pem file for the Certifite(s) (.pem) entry. hinroot64lxthese files re in the vr foler tht you rete uring ertifite genertion. Choose moe RSA Privte Key (.key) Certifite(s) (.pem) Privte Key Pssphrse Vlue Import PEM enoe Certifite BEGIN RSA PRIVATE KEY----- privte_key_vlue -----END RSA PRIVATE KEY BEGIN CERTIFICATE----- Server_ertifite_vlue -----END CERTIFICATE BEGIN CERTIFICATE----- Intermeite_CA -----END CERTIFICATE BEGIN CERTIFICATE----- Root_CA_ertifite_vlue -----END CERTIFICATE----- vr_ert_pssphrse hinroot64lx 5 Verify tht the ertifite hnge suessfully. A messge ppers tht informs you tht the SSL ertifite ws suessfully onfigure. 6 Clik the System t n lik Reoot for the hnges to tke effet. VMwre, In. 57

58 Certifite Replement Reple Certifites of the Opertions Mngement Components in Region A If the ertifite of vrelize Opertions Mnger or vrelize Log Insight expires, reple it n upte it on the mngement omponents in the region to mintin seure onnetion. 1 Reple vrelize Opertions Mnger Certifite in Region A on pge 58 Use the generte PEM file to reple the urrent ertifite on the vrelize Opertions Mnger ministrtor user interfe. 2 Reple the Certifite of vrelize Log Insight in Region A on pge 59 After you generte the PEM ertifite hin file tht ontins the own ertifite, the signer ertifite n the privte key file, uplo the ertifite hin to vrelize Log Insight. 3 Upte Event Forwring in Region B on pge 61 After you reple the ertifite of vrelize Log Insight in Region A, you upte log forwring from vrelize Log Insight in Region B to vrelize Log Insight in Region A. Reple vrelize Opertions Mnger Certifite in Region A Use the generte PEM file to reple the urrent ertifite on the vrelize Opertions Mnger ministrtor user interfe. 1 Log in to the vrelize Opertions Mnger ministrtor user interfe. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrops_min_psswor 2 At the upper right orner of the UI, lik on the yellow SSL Certifite ion. 3 In the SSL Certifite ilog ox, lik Instll New Certifite. 4 Clik Browse, lote the PEM file, n lik Open. Certifite Genertion Option Using the CertGenVVD tool Mnul genertion Certifite File vrops-forvvd4.0.2.hin.pem vrops01-hin.pem 5 Verify the ertifite etils n lik Instll. 58 VMwre, In.

59 Chpter 1 Region A Certifite Replement 6 Upte the vrelize Opertions Mnger ertifite for worklo relmtion ommunition with vrelize Automtion. Open We rowser n go to Log in using the following reentils User nme Psswor Domin Vlue it-tenntmin it-tenntmin_psswor rinpole.lol e Nvigte to Aministrtion > Relmtion > Metris Provier. On the Metris Provier pge, lik Test Connetion for the vrelize Opertions Mnger enpoint provier, verify tht the test onnetion is suessful, n lik Sve In the ertifite wrning messge ox, lik OK. Reple the Certifite of vrelize Log Insight in Region A After you generte the PEM ertifite hin file tht ontins the own ertifite, the signer ertifite n the privte key file, uplo the ertifite hin to vrelize Log Insight. 1 Log in to the vrelize Log Insight user interfe. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrli_min_psswor 2 In the vrelize Log Insight user interfe, lik the onfigurtion rop-own menu ion selet Aministrtion. n 3 Uner Configurtion, lik SSL. 4 On the SSL Configurtion pge, next to New Certifite File (PEM formt) lik Choose File, rowse to the lotion of the PEM file on your omputer, n lik Sve. Certifite Genertion Option Using the CertGenVVD tool Mnul genertion Certifite File vrli.sfo01.2.hin.pem vrli-sfo01.hin.pem The ertifite is uploe to vrelize Log Insight. VMwre, In. 59

60 Certifite Replement 5 Import the ertifite into the Jv Keystore on eh vrelize Log Insight noe. Open n SSH session n go eh of the vrelize Log Insight noes. Nme vrli-mstr-01.sfo01.rinpole.lol Role Mster noe vrli-wrkr-01.sfo01.rinpole.lol Worker noe 1 vrli-wrkr-02.sfo01.rinpole.lol Worker noe 2 Log in using the following reentils. 0 User nme Psswor Vlue root vrli_root_psswor Convert the on-isk vrli.sfo01.2.hin.pem file into vrli.sfo01.2.hin.rt file. openssl x509 -in /root/vrli.sfo01.2.hin.pem -inform PEM - out /root/vrli.sfo01.2.hin.rt Import the vrli.sfo01.2.hin.rt into the Jv Keystore: /usr/jv/efult/li/seurity/../../in/keytool -import -lis loginsight -file /root/vrli.sfo01.2.hin.rt -keystore erts e f g When prompte for keystore psswor, type hngeit. When prompte to ept the ertifite, type yes. Repet this opertion on ll vrelize Log Insight noes until omplete. 6 Open We rowser n go to A wrning messge tht the onnetion is not truste ppers. 7 To review the ertifite, lik the plok in the ress r of the rowser, n verify tht Sujet Alterntive Nme ontins the nmes of the vrelize Log Insight luster noes. 8 Import the ertifite in your We rowser. For exmple, in Google Chrome uner the HTTPS/TLS settings lik Mnge ertifites, n in the Certifites ilog ox import vrli-hin.pem. You n lso use Certifite Mnger on Winows or Keyhin Aess on MAC OS X. 60 VMwre, In.

61 Chpter 1 Region A Certifite Replement Upte Event Forwring in Region B After you reple the ertifite of vrelize Log Insight in Region A, you upte log forwring from vrelize Log Insight in Region B to vrelize Log Insight in Region A. 1 Copy the ertifite PEM file for vrelize Log Insight in Region A to the root iretory of vrlimstr-01.sfo01.rinpole.lol. Use the sp ommn, FileZill, or WinSCP to onnet to vrli-mstr-01.sfo01.rinpole.lol Log in using the following reentils. user nme Psswor Vlue root vrli_regiona_root_psswor Nvigte to the \root iretory on vrli-mstr-01.sfo01.rinpole.lol. Copy the ertifite PEM file vrli.sfo01.2.hin.pem on your omputer to the \root iretory on the mster noe. Overwrite ny existing file with the sme nme. 2 Import the root ertifite in the Jv keystore on eh vrelize Log Insight noe in Region B. Open n SSH session n go to the vrelize Log Insight noe. Nme vrli-mstr-51.lx01.rinpole.lol Role Mster noe vrli-wrkr-51.lx01.rinpole.lol Worker noe 1 vrli-wrkr-52.lx01.rinpole.lol Worker noe 2 Log in using the following reentils. Nme User nme Psswor Role root vrli_regionb_root_psswor Using sp, remotely opy the the SSL ertifite from the mster noe in Region A. sp root@vrlimstr-01.sfo01.rinpole.lol:/root/vrli.sfo01.2.hin.pem /root/vrli.sfo01.2.hin.pem e When prompte to ept the ertifite, type yes. When prompte for the root psswor, type the following User nme Psswor Vlue root vrli_regiona_root_psswor f Convert the vrli.sfo01.2.hin.pem file into vrli.sfo01.2.hin.rt file: openssl x509 -in /root/vrli.sfo01.2.hin.pem -inform PEM - out /root/vrli.sfo01.2.hin.rt VMwre, In. 61

62 Certifite Replement g Import the vrli.sfo01.2.hin.rt in the Jv keystore of the vrelize Log Insight noe. /usr/jv/efult/li/seurity/../../in/keytool -import -lis loginsight -file /root/vrli.sfo01.2.hin.rt -keystore erts h i j When prompte for keystore psswor, type hngeit. When prompte to ept the ertifite, type yes. Repet this opertion on ll vrelize Log Insight noes n restrt them. 3 Log in to the vrelize Log Insight user interfe. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrli_min_psswor 4 In the vrelize Log Insight user interfe, lik the onfigurtion rop-own menu ion selet Aministrtion. n 5 Uner Mngement, lik Event Forwring. 6 On the Event Forwring pge, selet LAX01 to SFO01 n lik the Eit ion. 7 In the Eit Destintion ilog ox, lik Test to verify tht the onnetion settings re orret. 8 Clik Sve to sve the forwring new estintion. 62 VMwre, In.

63 Region B Certifite Replement 2 After you first reple the ertifites in Region A, you ontinue with the ertifite replement on the omponents in Region B. Crete n A Mirosoft Certifite Authority Templte in Region B on pge 63 The first step in ertifite genertion n replement is setting up Mirosoft Certifite Authority templte through Remote Desktop Protool session. After you hve rete the new templte, you it to the ertifite templtes of the Mirosoft CA. Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region B on pge 65 You n use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte signe ertifites tht you n import to the SDDC mngement prouts in Region B. You n then import the ertifites to these omponents to mintin seure onnetion to the externl network n etween the omponents themselves. Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region B on pge 68 Crete ertifite signing requests for the mngement omponents in the SDDC n sen them ertifite uthority, suh s the Mirosoft AD server in Region B, for getting signe omponent ertifite. Generte CA-Signe Certifites for the SDDC Mngement Components in Region B on pge 84 When you reple the efult ertifites of the SDDC mngement prouts, you n mnully generte ertifite files tht re signe y the intermeite Certifite Authority (CA). Reple Certifites of the Mngement Prouts in Region B on pge 89 After you generte ertifite for mngement prout in Region B tht is signe y the ertifite uthority on the prent or hil AD server in the region, reple the efult ertifite or n expire ertifite with newly-signe one on the prout instne in the region.. Crete n A Mirosoft Certifite Authority Templte in Region B The first step in ertifite genertion n replement is setting up Mirosoft Certifite Authority templte through Remote Desktop Protool session. After you hve rete the new templte, you it to the ertifite templtes of the Mirosoft CA. Prerequisites This VMwre Vlite Design sets the CA up on oth Ative Diretory (AD) servers: the min omin 01rpl.rinpole.lol (root CA) n the Region B suomin 51lx.lx01.rinpole.lol (the intermeite CA). Both AD servers re running the Mirosoft Winows Server 2012 R2 operting system. Verify tht you instlle Mirosoft Server 2012 R2 with Ative Diretory Domin Servies enle. VMwre, In. 63

64 Certifite Replement Verify tht The Certifite Authority Servie role n the Certifite Authority We Enrolment role is instlle n onfigure on the Ative Diretory Server. Verify tht 51lx.lx01.rinpole.lol hs een set up to e the intermeite CA of the root CA 01rpl.rinpole.lol. 1 Use Remote Desktop Protool to onnet to the CA server 01lx.lx01.rinpole.lol s the AD ministrtor with the _min_psswor psswor. 2 Clik Strt > Run, enter erttmpl.ms, n lik OK. 3 In the Certifite Templte Console, uner Templte Disply Nme, serh the list to see if you n fin templte with the nme vmwre exists 4 if templte with the nme vmwre lrey existe, you n skip to Step 11 5 In the Certifite Templte Console, uner Templte Disply Nme, right-lik We Server n lik Duplite Templte. 6 In the Duplite Templte winow, leve Winows Server 2003 Enterprise selete for kwr omptiility n lik OK. 7 In the Properties of New Templte ilog ox, lik the Generl t. 8 In the Templte isply nme text ox, enter VMwre s the nme of the new templte. 9 Clik the Extensions t n speify extensions informtion: e f Selet Applition Poliies n lik Eit. Selet Server Authentition, lik Remove, n lik OK. Selet Key Usge n lik Eit. Clik the Signture is proof of origin (nonrepuition) hek ox. Leve the efult for ll other options. Clik OK. 10 Clik the Sujet Nme t, ensure tht the Supply in the request option is selete, n lik OK to sve the templte. 11 To the new templte to your CA, lik Strt > Run, enter ertsrv.ms, n lik OK. 12 In the Certifition Authority winow, expn the left pne if it is ollpse. 13 Right-lik Certifite Templtes n selet New > Certifite Templte to Issue. 14 In the Enle Certifite Templtes ilog ox, selet the VMwre ertifite tht you just rete in the Nme olumn n lik OK. 64 VMwre, In.

65 Chpter 2 Region B Certifite Replement Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region B You n use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte signe ertifites tht you n import to the SDDC mngement prouts in Region B. You n then import the ertifites to these omponents to mintin seure onnetion to the externl network n etween the omponents themselves. 1 Use the Certifite Genertion Utility to Generte CA-Signe Certifites for the SDDC Mngement Components in Region B on pge 65 Use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites tht re signe y the Mirosoft ertifite uthority (MSCA) for ll mngement prout with single opertion. 2 Aitionl Configurtion for Intermeite Certifite Authority in Region B on pge 67 If you use n intermeite ertifite uthority on lx01.rinpole.lol s ertifite signer, CertGenVVD utility only retrieves the intermeite Bse 64 ertifite from the Mirosoft CA. You must rete ertifite hin file tht lso inlues the root CA ertifite. Use the Certifite Genertion Utility to Generte CA-Signe Certifites for the SDDC Mngement Components in Region B Use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites tht re signe y the Mirosoft ertifite uthority (MSCA) for ll mngement prout with single opertion. For informtion out the VMwre Vlite Design Certifite Genertion Utility, see VMwre Knowlege Bse rtile Prerequisites If you use n intermeite CA suh s lx01.rinpole.lol, mke the Winows host tht you use to onnet to the t enter prt of the lx01.rinpole.lol omin. 1 Log in to Winows host tht hs ess to your t enter. 2 Downlo the CertGenVVD-version.zip file of the Certifite Genertion Utility from VMwre Knowlege Bse rtile on the Winows host where you onnet to the t enter n extrt the ZIP file to the C: rive. 3 In the C:\CertGenVVD-version foler, open the efult.txt file in text eitor. 4 Verify tht following properties re onfigure. ORG=Rinpole In. OU=Rinpole.lol LOC=LAX ST=CA CC=US CN=VMwre_VVD keysize= Verify tht only the :\CertGenVVD-version\ConfigFiles foler ontins only following files. omp01esx51.lx01.txt omp01esx52.lx01.txt VMwre, In. 65

66 Certifite Replement omp01esx53.lx01.txt omp01esx54.lx01.txt omp01nsxm51.lx01.txt omp01v51.lx01.txt omp01ps51.lx01.txt mgmt01esx51.lx01.txt mgmt01esx52.lx01.txt mgmt01esx53.lx01.txt mgmt01esx54.lx01.txt mgmt01nsxm51.lx01.txt mgmt01srm51.lx01.txt mgmt01v51.lx01.txt mgmt01vp51.lx01.txt mgmt01vrms51.lx01.txt lx01ps51.lx01.txt vrli.lx01.txt 6 If lx01ps51.lx01.txt oes not exist, rete it so tht you n generte ertifites for the Pltform Servies Controllers tht re ehin lo lner in Region B. Mke opy of mgmt01ps51.lx01.txt n sve it s lx01ps51.lx01.txt. Open the opie file in text eitor, n verify tht the following properties re onfigure. lx01ps51.lx01.txt [CERT] NAME=efult ORG=efult OU=efult LOC=LAC ST=efult CC=efult CN=lx01ps51.lx01.rinpole.lol keysize=efult [SAN] lx01ps51 lx01ps51.lx01.rinpole.lol 7 Open Winows PowerShell prompt n nvigte to the CertGenVVD foler. For exmple, of you use CertGenVVD 2.1, nvigte to the following foler: C:\CertGenVVD Run the following ommn to grnt PowerShell permissions to run thir-prty shell sripts. Set-ExeutionPoliy Unrestrite 9 Run the following ommn to vlite prerequisites for running the utility. Verify tht VMwre is inlue in the ville CA Templte Poliy..\CertgenVVD-2.1.ps1 -vlite 66 VMwre, In.

67 Chpter 2 Region B Certifite Replement 10 Run the following ommn to generte MSCA-signe ertifites..\certgenvvd-2.1.ps1 -MSCASigne -ttri 'CertifiteTemplte:VMwre' 11 In the :\CertGenVVD-version foler, verify tht the utility rete the SigneByMSCACerts su-foler. Wht to o next Reple the efult ertifites with the ertifites tht the CertGenVVD utility hs generte. See Reple Certifites of the Mngement Prouts in Region B, on pge 89. Aitionl Configurtion for Intermeite Certifite Authority in Region B If you use n intermeite ertifite uthority on lx01.rinpole.lol s ertifite signer, CertGenVVD utility only retrieves the intermeite Bse 64 ertifite from the Mirosoft CA. You must rete ertifite hin file tht lso inlues the root CA ertifite. 1 Log in to the site for ertifite request on the lx01.rinpole.lol AD server. Open rowser n go to Log in using the following reentils. User nme psswor Vlues _ministrtor _ministrtor_psswor 2 Downlo n export the ertifites of the intermeite n root CAs. Clik Downlo CA ertifite, ertifite hin, or CRL. Selet Current[lx01-DC01LAX-CA in the CA ertifite list, selet Bse 64 n lik Downlo CA ertifite hin. Sve the file s hinroot.p7. Open hinroot.p7. The ertmgr utility ppers. e f Nvigte to Certifites foler Right-lik lx01-dc01lax-ca n selet All Tsks > Export. The Certifite Export Wizr ppers. g h i j k On the Welome pge, lik Next. Selet Bse-64 enoe X.509 (.CER) n lik Next On the File to Export pge, rowse to the C:\CertGenVVD-version\SigneByMSCACerts\lx01- intermeite-.er, lik Next n lik Finish. Clik Oky when you see messge out suessful export. In the ertmgr utility, right lik rinpole-dc01rpl-ca n selet All Tsks > Export n repet the steps to sve the rinpole.lol root CA ertifite s C:\CertGenVVDversion\SigneByMSCACerts\rinpole-root-.er. 3 Crete the hinroot64lx.er file tht inlues oth root n intermeite CA ertifites. Open rinpole-root-.er in text eitor. Copy the entire ontent n lose the file. VMwre, In. 67

68 Certifite Replement e f Open lx01-intermeite-.er in text eitor, press Enter to insert new line t the en of the file, pste the rinpole-root-.er ontent. Sve the file s hinroot64lx.er to the C:\CertGenVVD-version\SigneByMSCACerts\. Close ll files. Verify tht the new file C:\CertGenVVD-version\SigneByMSCACerts\hinRoot64lx.er exists n ontins the ontent of oth lx01-intermeite-.er n rinpole-root-.er. 4 Refresh ll MSCA-signe ertifites with new intermeite n root CAs. e f g h Open the C:\CertGenVVD-version foler. Mke opy of the SigneByMSCACerts foler n nme is s SigneByMSCACerts-kup. Renme the SigneByMSCACerts foler to CSRCerts. Open the C:\CSRCerts\RootCA\ foler. Delete the Root64.er file Crete opy of hinroot64lx.er s Root64.er. Open Winows PowerShell prompt n nvigte to the CertGenVVD foler. Run the following ommn to regenerte ll ertifite files n pkges using the new Root64.er..\CertGenVVD-version.ps1 -CSR -extr i Renme the CSRCerts foler k to SigneByMSCACerts. Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region B Crete ertifite signing requests for the mngement omponents in the SDDC n sen them ertifite uthority, suh s the Mirosoft AD server in Region B, for getting signe omponent ertifite. Generte Mnully Key Pirs n Certifite Signing Requests for the ESXi Hosts in Region B on pge 69 If you pln to mnully generte ertifites for the ESXi mngement hosts in Region B, on the Mngement vcenter Server generte key pir n Certifite Signing Request (CSR) for eh hosts. Sumit the CSR file to the ertifite uthority for signing. Generte Mnully Key Pir n Certifite Signing Request for the Pltform Servies Controller Instnes in Region B on pge 70 Generte single Certifite Signing Request (CSR) for the lo-lne Pltform Servies Controllers n sumit it to the ertifite uthority for signing. The two Pltform Servies Controllers hve the sme ertifite. Generte Mnully Key Pir n Certifite Signing Request for vcenter Server in Region B on pge 71 If you pln to generte mnully CA-signe ertifite for vcenter Server in Region B, you n generte ertifite signing request (CSR) n sumit it to the CA for signing. Generte Mnully Key Pir n Certifite Singing Request for NSX in Region B on pge 73 If you pln to generte mnully CA-signe ertifite for NSX, you n generte ertifite signing request (CSR) n sumit it to the CA for signing. 68 VMwre, In.

69 Chpter 2 Region B Certifite Replement Generte Mnully Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region B on pge 74 Generte the files tht re require to otin CA-signe ertifite for vsphere Dt Protetion in Region B. Generte Key Pirs n Certifite Signing Requests for Site Reovery Mnger Certifites on pge 77 Generte key pir n ertifite signing requests (CSRs) tht you n use to otin CA-signe ertifite for the Site Reovery Mnger instnes in the SDDC. Generte Key Pirs n Certifite Signing Requests for vsphere Replition on pge 80 Generte key pir n ertifite signing request (CSR) files tht you n use to otin CA-signe ertifites for vsphere Replition. Generte Key Pir n Certifite Signing Request for vrelize Log Insight in Region B on pge 82 To rete CA-signe ertifite for vrelize Log Insight in Region B, generte ertifite signing request (CSR) on the Linux ppline for the mster noe n use the intermeite ertifite uthority on the hil AD server to sign the ertifite. Generte Mnully Key Pirs n Certifite Signing Requests for the ESXi Hosts in Region B If you pln to mnully generte ertifites for the ESXi mngement hosts in Region B, on the Mngement vcenter Server generte key pir n Certifite Signing Request (CSR) for eh hosts. Sumit the CSR file to the ertifite uthority for signing. You strt with the hosts in the mngement luster first n for to the hosts in the shre ege n ompute luster next. You use the Mngement vcenter Server to generte the key pir n the CSR files euse the ppline lrey runs the require softwre for CSR genertion instlle. You n lso use nother Linux OS instne tht hs OpenSSL instlle. Prerequisites Verify tht the Winows tht you use for ess to the t enter is prt of the lx01.rinpole.lol omin. 1 Log in to the Winows host tht hs ess to your t enter. 2 If not lrey rete, rete foler C:\mnul-erts\esxhosts. 3 Log in to mgmt01v51.lx01.rinpole.lol y using Seure Shell (SSH) lient. Open n SSH onnetion to the virtul mhine mgmt01v51.lx01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root venter_server_root_psswor 4 Enle the Bsh shell y running these ommns. shell 5 Crete iretory to sve the ertifite signing request n the privte key to. mkir /tmp/ssl VMwre, In. 69

70 Certifite Replement 6 Nvigte to the temporry iretory y running the following ommn. /tmp/ssl 7 Generte privte key pir n CSR file for the mgmt01esx51.lx01.rinpole.lol host y running the following ommn. openssl req -noes -newkey rs:2048 -keyout mgmt01esx51.key -out mgmt01esx51.sr -suj "/C=US/ST=CA/L=LAX/O=Rinpole In./OU=Rinpole.lol/CN=mgmt01esx51.lx01.rinpole.lol" 8 Repet Step 7 to rete key pir n CSR for eh of the hosts in the mngement luster. Hosts Nme Key File Nme CSR File Nme mgmt01esx52.lx01.rinpole.lol mgmt01esx52.key mgmt01esx52.sr mgmt01esx53.lx01.rinpole.lol mgmt01esx53.key mgmt01esx53.sr mgmt01esx54.lx01.rinpole.lol mgmt01esx54.key mgmt01esx54.sr omp01esx51.lx01.rinpole.lol omp01esx51.key omp01esx51.sr omp01esx52.lx01.rinpole.lol omp01esx52.key omp01esx52.sr omp01esx53.lx01.rinpole.lol omp01esx53.key omp01esx53.sr omp01esx54.lx01.rinpole.lol omp01esx54.key omp01esx54.sr 9 Copy ll the key n CSR files to the C:\mnul-erts\esxhosts\ iretory on the Winows host. Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region B, on pge 84. Generte Mnully Key Pir n Certifite Signing Request for the Pltform Servies Controller Instnes in Region B Generte single Certifite Signing Request (CSR) for the lo-lne Pltform Servies Controllers n sumit it to the ertifite uthority for signing. The two Pltform Servies Controllers hve the sme ertifite. 1 Log in to the Winows host tht hs ess to the t enter. 2 Log in to the Pltform Servies Controller ppline for the mngement luster y using Seure Shell (SSH) lient. Open n SSH onnetion to the mgmt01ps01.lx01.rinpole.lol virtul mhine. Log in using the following reentils. User nme Psswor Vlue root mgmtps_root_psswor 3 Enle the Bsh shell y running the following ommn. shell 4 Crete iretory to sve the ertifite signing request n privte key to. mkir /tmp/ssl 70 VMwre, In.

71 Chpter 2 Region B Certifite Replement 5 Strt the vsphere Certifite Mnger utility. /usr/li/vmwre-vm/in/ertifite-mnger 6 Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite), enter the efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min_psswor psswor. 7 When prompte for the Infrstruture Server IP, enter the IP ress of the Pltform Servies Controller Selet Option 1 (Generte Certifite Signing Request(s) n Key(s) for Mhine SSL ertifite), n enter /tmp/ssl for the iretory to sve the ertifite signing request n privte key to. 9 Provie the following settings to onfigure ertool.fg n lose the vsphere Certifite Mnger utility. Country Nme Orgniztion OrgUnit Stte Lolity Vlue US lx01ps51.lx01.rinpole.lol Rinpole In. Rinpole.lol Cliforni Plo Alto IPAress Emil Hostnme ministrtor@rinpole.lol lx01ps51.lx01.rinpole.lol The rete CSR files re vm_issue_sr.sr n vm_issue_key.key in the /tmp/ssl foler. 10 Run the following ommn to renme the vm_issue_sr.sr n vm_issue_key.key files to mth the Pltform Servies Controller lo lner IP ress. mv vm_issue_sr.sr lx01ps51.lx01.sr mv vm_issue_key.key lx01ps51.lx51.key 11 Copy the.sr file to iretory C:\mnul-erts\lx01ps51\ on the Winows host. Generte Mnully Key Pir n Certifite Signing Request for vcenter Server in Region B If you pln to generte mnully CA-signe ertifite for vcenter Server in Region B, you n generte ertifite signing request (CSR) n sumit it to the CA for signing. You generte CSR on the vcenter Server instnes y using the vsphere Certifite Mnger utility, n otin ustom ertifites tht re signe y the intermeite ertifite uthority ville on the hil AD servers. Prerequisites Verify tht the Winows tht you use for ess to the t enter is prt of the lx01.rinpole.lol omin. 1 Log in to Winows host tht hs ess to the t enter s n ministrtor. VMwre, In. 71

72 Certifite Replement 2 Log in to the vcenter Server Appline for the mngement luster y using Seure Shell (SSH) lient. Open n SSH onnetion to the vcenter Server instne y using n SSH lient. vcenter Server Mngement vcenter Server Compute vcenter Server Virtul Appline FQDN mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol Log in using the following reentils. User nme Psswor Vlue root venter_server_root_psswor 3 Enle the Bsh shell y running the following ommns. shell 4 Crete iretory to sve the ertifite signing request n privte key to. mkir /tmp/ssl 5 Strt the vsphere Certifite Mnger utility. /usr/li/vmwre-vm/in/ertifite-mnger 6 Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite), enter the efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min_psswor psswor. 7 When prompte for the Infrstruture Server IP, enter the IP ress of the Pltform Servies Controller tht mnges this vcenter Server instne. vcenter Server IP Aress of Connete Pltform Servies Controller mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol Selet Option 1 (Generte Certifite Signing Request(s) n Key(s) for Mhine SSL ertifite), n enter /tmp/ssl for the iretory to sve the ertifite signing request n privte key to. 9 Provie the following settings to onfigure ertool.fg n lose the vsphere Certifite Mnger utility. Vlue on the Mngement Pltform Servies Controller Vlue on the Compute Pltform Servies Controller Country US US Nme mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol Orgniztion Rinpole In. Rinpole In. OrgUnit Rinpole.lol Rinpole.lol Stte Cliforni Cliforni Lolity Plo Alto Plo Alto IPAress - - Emil ministrtor@vsphere.lol ministrtor@vsphere.lol Hostnme mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol The utility rete CSR files vm_issue_sr.sr n vm_issue_key.key in the /tmp/ssl foler. 72 VMwre, In.

73 Chpter 2 Region B Certifite Replement 10 Renme the vm_issue_sr.sr n vm_issue_key.key files to mth the virtul mhine nme of the vcenter Server instne. vcenter Server mgmt01v51.lx01.rinpol e.lol omp01v51.lx01.rinpol e.lol Key n CSR File Nmes mgmt01v51.lx01_ss l.sr mgmt01v51.lx01_ss l.key omp01v51.lx01_ssl.sr omp01v51.lx01_ssl.key Commn mv vm_issue_sr.sr mgmt01v01.lx01_ssl.sr mv vm_issue_key.key mgmt01v01.lx01_ssl.key mv vm_issue_sr.sr omp01v51.lx01_ssl.sr mv vm_issue_key.key omp01v51.lx01_ssl.key 11 If you pln to generte mnully ertifite for the other vcenter Server instne in Region B, repet Step 2 to Step Copy the.sr file to the C:\mnul-erts\v iretory on the Winows host. vcenter Server Mngement vcenter Server Diretory on the Winows host C:\mnul-erts\v\mgmt01v51.lx01_ssl.sr Compute vcenter Server C:\mnul-erts\v\omp01v51.lx01_ssl.sr Use the sp ommn, FileZill, or WinSCP to opy the file. Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region B, on pge 68. Generte Mnully Key Pir n Certifite Singing Request for NSX in Region B If you pln to generte mnully CA-signe ertifite for NSX, you n generte ertifite signing request (CSR) n sumit it to the CA for signing. 1 Log in to the Winows host tht hs ess to the AD server s n ministrtor. 2 On the Winows host tht hs ess to the t enter, log in to the NSX Mnger We interfe. Open We rowser n go to following URL. NSX Mnger NSX Mnger for the mngement luster NSX Mnger for the shre ompute n ege luster URL Log in using the following reentils. Vlue User nme min Psswor nsx_mnger_min_psswor 3 Clik Mnge Appline s. 4 In the s pne on the left, lik SSL Certifites. 5 Uner SSL Certifites on the right, lik Generte CSR. VMwre, In. 73

74 Certifite Replement 6 In the Generte Certifite Signing Request ilog ox, provie the following informtion, n lik OK. CSR Info Algorithm Vlue RSA Key size 2048 Common Nme mgmt01nsxm51.lx01.rinpole.lol omp01nsxm51.lx01.rinpole.lol Orgniztion Unit Orgniztion Nme Lolity Nme Stte Nme Country Coe Rinpole Rinpole LAX CA US 7 Uner SSL Certifites, lik Downlo CSR. VMwre NSX ownlos CSR file lle NSX to the efult ownlo iretory. 8 Copy the NSX file to the lol following iretory. Crete the iretory if neessry. NSX Mnger Instne mgmt01nsxm51.lx01.rinpole.lol mgmt01nsxm51.lx01.rinpole.lol Diretory on the Winows Host C:\mnul-erts\nsx\mgmt01nsxm51.lx01 C:\mnul-erts\nsx\omp01nsxm51.lx01 9 Renme the file ing the.sr extension t the en of the file nme. NSX Mnger mgmt01nsxm51.lx01.rinpole.lol omp01nsxm51.lx01.rinpole.lol File Nme mgmt01nsxm51.lx01_ssl.sr omp01nsxm51.lx01_ssl.sr Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region B, on pge 84. Generte Mnully Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region B Generte the files tht re require to otin CA-signe ertifite for vsphere Dt Protetion in Region B. 1 Enle SSH Root User Aess on vsphere Dt Protetion Appline in Region B on pge 75 Enle the login to the vsphere Dt Protetion ppline in Region B over Seure SHell (SSH) s the root user. You onnet to the ppline over SSH to instll ustom ertifites n to perform trouleshooting opertions. 74 VMwre, In.

75 Chpter 2 Region B Certifite Replement 2 Generte Mnully the Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region B on pge 76 Generte ertifite signing request (CSR) for vsphere Dt Protetion in Region A tht you n use to generte mnully ertifite signe y the Mirosoft CA on the 51lx.lx01.rinpole.lol AD server in Region A. Plese llote owntime for vsphere Dt Protetion servie.by oing this vsphere Dt Protetion servie will e own until the new ertifite is instlle. Enle SSH Root User Aess on vsphere Dt Protetion Appline in Region B Enle the login to the vsphere Dt Protetion ppline in Region B over Seure SHell (SSH) s the root user. You onnet to the ppline over SSH to instll ustom ertifites n to perform trouleshooting opertions. 1 Log in to vcenter Server y using the vsphere We Client. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor 2 Nvigte to the vsphere Dt Protetion virtul ppline mgmt01vp51. 3 Right-lik mgmt01vp51 n selet Open Console to open the remote onsole to the ppline. 4 Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 5 Run the following onsole ommn to open the ssh_onfig file for eiting. vi /et/ssh/ssh_onfig 6 Remove the # omment from the eginning of the line #PermitRootLogin yes. 7 Run the following ommn in the vi eitor to sve the file n exit the eitor. :wq! VMwre, In. 75

76 Certifite Replement 8 In the onsole, restrt the SSH servie to upte the running onfigurtion. /et/init./ssh restrt 9 Log out n lose the onsole to the ppline. Generte Mnully the Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region B Generte ertifite signing request (CSR) for vsphere Dt Protetion in Region A tht you n use to generte mnully ertifite signe y the Mirosoft CA on the 51lx.lx01.rinpole.lol AD server in Region A. Plese llote owntime for vsphere Dt Protetion servie.by oing this vsphere Dt Protetion servie will e own until the new ertifite is instlle. You must pln for owntime of the vsphere Dt Protetion servie. During the ertifite genertion n replement the vsphere Dt Protetion servie will e own until the new ertifite is instlle. When you pln the owntime, tke in ount the time you nee to use the generte CSR file to request the CAsigne ertifite. 1 Log in to the vsphere Dt Protetion ppline. Open n SSH onnetion to the virtul mhine mgmt01vp51.lx01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 2 Stop the vsphere Dt Protetion servies y running the following ommn. emwepp.sh --stop 76 VMwre, In.

77 Chpter 2 Region B Certifite Replement 3 Delete the Tomt lis from the ertifite store. /usr/jv/ltest/in/keytool -elete -lis tomt When prompte for the keystore psswor, enter hngeit. 4 Generte CSR vpsr.sr y running the following two ommns. When prompte for the keystore psswor, enter hngeit.. /usr/jv/ltest/in/keytool -genkeypir -v -lis tomt -keylg RSA -siglg SHA256withRSA -keystore /root/.keystore -storepss hngeit -keypss hngeit -vliity nme "CN=mgmt01vp51.sfo01.rinpole.lol, OU=rinpole.lol, O=Rinpole In., L=Plo Alto, S=CA, C=US". /usr/jv/ltest/in/keytool -ertreq -keylg RSA -lis tomt -file vpsr.sr 5 Copy the vpsr.sr file to the C:\mnul-erts\vp\mgmt01vp51 iretory on the Winows host tht you use to ess the t enter. Wht to o next 1 Otin signe ertifite from the Mirosoft ertifite uthority. See Generte Mnully the Key Pir n Certifite Signing Request for vsphere Dt Protetion in Region B, on pge Reple the ertifite on the vsphere Dt Protetion. See Instll Mnully Generte Certifite on vsphere Dt Protetion in Region A, on pge 50. Generte Key Pirs n Certifite Signing Requests for Site Reovery Mnger Certifites Generte key pir n ertifite signing requests (CSRs) tht you n use to otin CA-signe ertifite for the Site Reovery Mnger instnes in the SDDC. You perform the following steps: Tle 2 1. Certifite-Relte Files for Site Reovery Mnger in Region A n Region B File Nme Site Reovery Mnger in Region A Site Reovery Mnger in Region B CSR File Nme mgmt01srm01.sfo01_ssl.sr mgmt01srm51.lx01_ssl.sr Certifite File Nme mgmt01srm01.sfo01.er mgmt01srm51.lx01.er Key File Nme mgmt01srm01.sfo01_ssl.key mgmt01srm51.lx01_ssl.key CA Certifite Chin CACert.hin.er CACert.hin.er PKCS#12 File Nme from Mnul Genertion PKCS#12 File Nme from the CertGenVVD tool mgmt01srm01.sfo01.p12 mgmt01srm01.sfo01.5.p12 mgmt01srm51.lx01.p12 mgmt01srm51.lx01.5.p12 VMwre, In. 77

78 Certifite Replement 1 Log in to the Site Reovery Mnger virtul mhine y using Remote Desktop Protool (RDP) lient. Open n RDP onnetion to the following virtul mhine. Region Region A Region B Site Reovery Mnger mgmt01srm01.sfo01.rinpole.lol mgmt01srm51.lx01.rinpole.lol Log in using the following reentils. User nme Psswor Vlue Winows ministrtor user winows_ministrtor_psswor 2 Generte CSR file. You generte the ertifite signing request using OpenSSL. On the Site Reovery Mnger Winows virtul mhine, OpenSSL is ville uner C:\Progrm Files\VMwre\VMwre vcenter Site Reovery Mnger\in. Crete C:\erts iretory on the Site Reovery Mnger Server Winows mhine. In the C:\erts iretory, rete n OpenSSL onfigurtion text file with the following ontent. Site Reovery Mnger Site Reovery Mnger in Region A Site Reovery Mnger in Region B File Nme mgmt01srm01.sfo01.fg mgmt01srm01.lx01.fg [ req ] efult_its = 2048 efult_keyfile = rui.key istinguishe_nme = req_istinguishe_nme enrypt_key = no prompt = no string_msk = nomstr req_extensions = v3_req [ v3_req ] siconstrints = CA:FALSE keyusge = igitlsignture, keyenipherment, tenipherment extenekeyusge = serverauth, lientauth sujetaltnme = DNS: mgmt01srm01, IP: , DNS: mgmt01srm01.sfo01.rinpole.lol [ req_istinguishe_nme ] ountrynme = US stteorprovinenme = CA lolitynme = Plo Alto 0.orgniztionNme = Rinpole In. orgniztionlunitnme = Rinpole.lol ommonnme = mgmt01srm01.sfo01.rinpole.lol 78 VMwre, In.

79 Chpter 2 Region B Certifite Replement Chnge the properties in the onfigurtion file in the following wy. Property Region A Region B sujetaltnme DNS:mgmt01srm01, IP: , DNS:mgmt01srm01.sfo01.rinpole.lol DNS:mgmt01srm51, IP: , DNS:mgmt01srm51.lx01.rinpole.lol ountrynme US US StteOrProvineNme CA CA lolitynme Plo Alto Plo Alto 0.orgniztionNme Rinpole In. Rinpole In. orgniztionlunitnme Rinpole.lol Rinpole.lol ommonnme mgmt01srm01.sfo01.rinpole.lol mgmt01srm51.lx01.rinpole.lol At the ommn prompt, run the following ommn to the pth to the in foler of Site Reovery Mnger to the Winows PATH environment vrile. You onfigure the PATH environment vrile so tht Winows n lote n run the openssl.exe file. set PATH=%PATH%;C:\Progrm Files\VMwre\VMwre vcenter Site Reovery Mnger\in e At the ommn prompt, go to the C:\erts foler n generte the CSR y running the following ommn. Region Region A Region B Commn openssl.exe req -new -noes -out mgmt01srm01.sfo01_ssl.sr -keyout mgmt01srm01.sfo01-orig.key -onfig mgmt01srm01.sfo01.fg openssl.exe req -new -noes -out mgmt01srm51.lx01_ssl.sr -keyout mgmt01srm51.lx01-orig.key -onfig mgmt01srm51.lx01.fg f Convert the privte key to RSA formt. Region Region A Region B Commn openssl.exe rs -in mgmt01srm01.sfo01-orig.key -out mgmt01srm01.sfo01_ssl.key openssl.exe rs -in mgmt01srm51.lx01-orig.key -out mgmt01srm51.lx01_ssl.key g Copy the CSR file to the following iretories on the Winows host tht you use to ess the t enter. Option Region A Region B Desription C:\mnul-erts\srm\mgmt01srm01.sfo01 C:\mnul-erts\srm\mgmt01srm51.lx01 h Repet the steps to generte key file n CSR for the other Site Reovery Mnger. Wht to o next Otin signe ertifite from the Mirosoft ertifite uthority. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region B, on pge 84. VMwre, In. 79

80 Certifite Replement Generte Key Pirs n Certifite Signing Requests for vsphere Replition Generte key pir n ertifite signing request (CSR) files tht you n use to otin CA-signe ertifites for vsphere Replition. Tle 2 2. Certifite-Relte Files for vsphere Replition in Region A n Region B File Nme vsphere Replition in Region A vsphere Replition in Region B CSR File Nme mgmt01vrms01.sfo01_ssl.sr mgmt01vrms51.lx01_ssl.sr Key File Nme mgmt01vrms01.sfo01_ssl.key mgmt01vrms51.lx01_ssl.key 1 On your omputer, rete onfigurtion file for ertifite request genertion. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B File Nme mgmt01vrms01.sfo01.fg mgmt01vrms51.lx01.fg [ req ] efult_its = 2048 efult_keyfile = rui.key istinguishe_nme = req_istinguishe_nme enrypt_key = no prompt = no string_msk = nomstr req_extensions = v3_req [ v3_req ] siconstrints = CA:FALSE keyusge = igitlsignture, keyenipherment, tenipherment extenekeyusge = serverauth, lientauth sujetaltnme = DNS: mgmt01vrms01, IP: , DNS: mgmt01vrms01.sfo01.rinpole.lol [ req_istinguishe_nme ] ountrynme = US stteorprovinenme = CA lolitynme = Plo Alto 0.orgniztionNme = Rinpole In. orgniztionlunitnme = Rinpole.lol ommonnme = mgmt01vrms01.sfo01.rinpole.lol 2 Chnge the settings in the onfigurtion file s per the tle elow. Property Region A Region B sujetaltnme DNS:mgmt01vrms01, IP: , DNS:mgmt01vrms01.sfo01.rinpole.lol DNS:mgmt01vrms51, IP: , DNS:mgmt01vrms51.lx01.rinpole.lol ountrynme US US StteOrProvineNme CA CA lolitynme Plo Alto Plo Alto 0.orgniztionNme Rinpole In. Rinpole In. 80 VMwre, In.

81 Chpter 2 Region B Certifite Replement Property Region A Region B orgniztionlunitnme Rinpole.lol Rinpole.lol ommonnme mgmt01vrms01.sfo01.rinpole.lol mgmt01vrms51.lx01.rinpole.lol 3 Enle the SSH servie on the vsphere Replition virtul ppline. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor e Right-lik the mgmt01vrms01 virtul ppline n selet Open Console to open the remote onsole to the ppline. Press ALT+F1 to swith to the ommn prompt. Log in using the following reentils. User nme Psswor Vlue root vr_root_psswor f Strt the SSH servie y running the following ommn. /usr/in/enle-ssh.sh g Close the remote onsole 4 Log in to the vsphere Replition y using Seure Shell (SSH) lient. Open n SSH onnetion to the following virtul mhine. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B FQDN mgmt01vrms01.sfo01.rinpole.lol mgmt01vrms51.lx01.rinpole.lol Log in using the following reentils. User nme Vlue root Psswor vr_sfo_root_psswor vr_lx_root_psswor 5 Crete /tmp/ssl foler on the vsphere Replition ppline. 6 Copy the onfigurtion file from your omputer to the /tmp/ssl foler on the vsphere Replition ppline. VMwre, In. 81

82 Certifite Replement 7 On the vsphere Replition ppline, go to the /tmp/ssl foler n generte the ertifite signing request y running the following ommn. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B Commn openssl req -new -noes -out mgmt01vrms01.sfo01_ssl.sr -keyout mgmt01vrms01.sfo01-orig.key -onfig mgmt01vrms01.sfo01.fg openssl req -new -noes -out mgmt01vrms51.lx01_ssl.sr -keyout mgmt01vrms51.lx01-orig.key -onfig mgmt01vrms51.lx01.fg 8 Convert the key returne y the ommn to the RSA formt. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B Commn openssl rs -inmgmt01vrms01.sfo01-orig.keyoutmgmt01vrms01.sfo01_ssl.key openssl rs -inmgmt01vrms51.lx01-orig.keyoutmgmt01vrms51.lx01_ssl.key 9 Copy the CSR file to the Winows host tht hs ess to your t enter. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B Foler on the Winows Host C:\mnul-erts\vr\mgmt01vrms01.sfo01 C:\mnul-erts\vr\mgmt01vrms51.lx01 10 Repet the steps to generte CSR for the other vsphere Replition instne. Generte Key Pir n Certifite Signing Request for vrelize Log Insight in Region B To rete CA-signe ertifite for vrelize Log Insight in Region B, generte ertifite signing request (CSR) on the Linux ppline for the mster noe n use the intermeite ertifite uthority on the hil AD server to sign the ertifite. 1 On your omputer, rete onfigurtion file for OpenSSL ertifite request genertion, lle vrlilx.fg. Beuse ll noes in the luster shre the sme ertifite, the Sujet Alterntive Nme fiel, sujetaltnme, of the uploe ertifite must ontin the IP resses n FQDNs of ll noes n of the lo lner. For ommon nme, use the full omin nme of the integrte lo lner. [ req ] efult_its = 2048 efult_keyfile = rui.key istinguishe_nme = req_istinguishe_nme enrypt_key = no prompt = no string_msk = nomstr req_extensions = v3_req [ v3_req ] siconstrints = CA:FALSE keyusge = igitlsignture, keyenipherment, tenipherment extenekeyusge = serverauth, lientauth sujetaltnme = DNS:vrli-luster-51, DNS: vrli-luster-51.lx01.rinpole.lol, DNS:vrlimstr-51.lx01.rinpole.lol, DNS:vrli-mstr-51, DNS:vrli-wrkr-51.lx01.rinpole.lol, 82 VMwre, In.

83 Chpter 2 Region B Certifite Replement DNS:vrli-wrkr-51, DNS:vrli-wrkr-52.lx01.rinpole.lol, DNS:vrli-wrkr-52 [ req_istinguishe_nme ] ountrynme = US stteorprovinenme = CA lolitynme = Plo Alto orgniztionnme = Rinpole In., orgniztionlunitnme = rinpole.lol ommonnme = vrli-luster-51.lx01.rinpole.lol 2 Log in to the mster noe of vrelize Log Insight y using Seure Shell (SSH) lient. Open n SSH onnetion to the virtul mhine vrli-mstr-51.lx01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vrli_mster_root_psswor 3 Crete su-iretory lle vrli in the root home iretory n nvigte to it. mkir /root/vrli /root/vrli 4 From the /root/vrli foler, generte n RSA privte key tht is 2048 its long, n sve it s vrli.key file. openssl genrs -out vrli.key Copy the vrli-lx.fg to the /root/vrli foler on the mster noe virtul ppline. You n use sp, FileZill or WinSCP. 6 Use the vrli.key privte key n the vrli-lx.fg onfigurtion file to rete CSR n sve it s vrli-lx01.sr file to the /root/vrli foler. openssl req -new -key vrli.key -out vrli-lx01.sr -onfig vrli-lx.fg The /root/vrli foler ontins the vrli-lx.fg, vrli.key n vrli-lx01.sr files. 7 Copy the vrli.key n vrli-lx01.sr file to C:\mnul-erts\vrli.lx01 foler on the Winows host tht you use to ess your t enter. 8 Renme vrli.key to vrli-lx01.key VMwre, In. 83

84 Certifite Replement Generte CA-Signe Certifites for the SDDC Mngement Components in Region B When you reple the efult ertifites of the SDDC mngement prouts, you n mnully generte ertifite files tht re signe y the intermeite Certifite Authority (CA). Prerequisites Crete Mirosoft Certifite Authority Templte. See Crete n A Mirosoft Certifite Authority Templte in Region B, on pge 63. Generte CSR for the ertifite tht you wnt to reple. You generte the CSR on the mhine where the ertifite is instlle. See Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region B, on pge 68. Verify tht the Winows host tht you use to onnet to the t enter is onnete to the lx01.rinpole.lol omin. 1 Log in to the Winows host tht hs ess to the AD server s n ministrtor. 2 Sumit request n ownlo the ertifite hin tht ontins the CA-signe ertifite n the CA ertifite. Open We Browser n go to to open the We interfe of the CA server. Log in using the following reentils. User nme Psswor Vlue AD ministrtor _min_psswor e f g h i j Clik the Request ertifite link. Clik vne ertifite request. Open the CSR file.sr in plin text eitor. Copy everything from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- to the lipor. On the Sumit Certifite Request or Renewl Request pge, pste the ontents of the CSR file into the Sve Request ox. From the Certifite Templte rop-own menu, selet VMwre n lik Sumit. On the Certifite issue sreen, lik Bse 64 enoe. Clik the Downlo Certifite hin link n sve the ertifite hin file ertnew.p7 to the Downlos foler. 3 Export the mhine ertifite to the orret formt. e Doule-lik the ertnew.p7 file to open it in the Mirosoft Certifite Mnger. Nvigte to ertnew.p7 > Certifites n notie the three ertifites. Right-lik the mhine ertifite n selet All Tsks > Export. In the Certifite Export Wizr, lik Next. Selet Bse-64 enoe X.509 (.CER) n lik Next. 84 VMwre, In.

85 Chpter 2 Region B Certifite Replement f g Browse to C:\erts n speify the ertifite nme in the File nme text ox. Clik Next n lik Finish. The ertifite file is sve to the C:\erts foler. 4 Export the intermeite CA ertifite file to the orret formt. e f g Doule-lik the ertnew.p7 file to open it in the Mirosoft Certifite Mnger. Nvigte to ertnew.p7 > Certifites n notie the three ertifites. Right-lik the intermeite CA ertifite n selet All Tsks > Export. In the Certifite Export Wizr, lik Next. Selet Bse-64 enoe X.509 (.CER) n lik Next. Browse to C:\erts n enter Intermeite in the File nme text ox. Clik Next n lik Finish. The Intermeite.er file is sve to the C:\erts foler. 5 Export the root CA ertifite file in the orret formt. e Right-lik the root ertifite n selet All Tsks > Export. In the Certifite Export Wizr, lik Next. Selet Bse-64 enoe X.509 (.CER) n lik Next. Browse to C:\erts n enter Root64 in the File nme text ox. Clik Next n lik Finish. The Root64.er file is sve to the C:\erts foler. 6 Move the ertifite file to the following C:\mnul-erts\omponent foler uner the following file nmes. Mngement Component Trget Foler Certifite File Nmes ESXi hosts for the mngement luster ESXi hosts for the shre ege n ompute luster Pltform Servies Controller for the mngement luster vcenter Server for the mngement luster NSX Mnger for the mngement luster Pltform Servies Controller for the shre ege n ompute luster vcenter Server for the shre ege n ompute luster C:\mnul-erts\mgmt01esx.lx01 C:\mnul-erts\omp01esx.lx01 C:\mnul-erts\lx01ps51.lx01 C:\mnul-erts\ mgmt01v51.lx01 C:\mnulerts\mgmt01nsxm51.lx01 - C:\mnul-erts\omp01v51.lx01 mgmt01esx51.er mgmt01esx52.er mgmt01esx53.er mgmt01esx54.er omp01esx51.er omp01esx52.er omp01esx53.er omp01esx54.er lx01ps51.lx01.er mgmt01v51.lx01.er mgmt01nsxm51.lx01.er omp01v51.lx01.er VMwre, In. 85

86 Certifite Replement Mngement Component Trget Foler Certifite File Nmes NSX Mnger for the shre ege n ompute luster vsphere Dt Protetion C:\mnulerts\omp01nsxm51.lx01 C:\mnulerts\mgmt01vp51.lx01 omp01nsxm51.lx01.er vp.p7 Site Reovery Mnger C:\mnul-erts\srm mgmt01srm01.sfo01.er mgmt01srm51.lx01.er vsphere Replition C:\mnul-erts\vr mgmt01vrms01.sfo01.er mgmt01vrms51.lx01.er vrelize Automtion vrelize Orhestrtor vrelize Business vrelize Opertions Mnger vrelize Log Insight C:\mnul-erts\vrli.lx01 vrli.lx01.er 7 Generte ertifite hin file. Nvigte to the iretory C:\mnul-erts\omponent. For eh mngement omponent, run the following ommn to rete the ertifite hin file. Mngement Component Pltform Servies Controller for the mngement luster vcenter Server for the mngement luster NSX Mnger for the mngement luster Pltform Servies Controller for the shre ege n ompute luster vcenter Server for the shre ege n ompute luster NSX Mnger for the shre ege n ompute luster vsphere Dt Protetion Certifite Chin File Nme lx01ps51.lx01.hin.er mgmt01v51.lx01.hin.er mgmt01nsxm51.lx01.hin.er Not pplile omp01v51.lx01.hin.er omp01nsxm51.lx01.hin.er Not pplile Site Reovery Mnger mgmt01srm01.sfo01.er for Region A mgmt01srm51.lx01.er for Region B vsphere Replition mgmt01vrms01.sfo01.p12 for Region A mgmt01vrms51.lx01.p12 for Region B vrelize Automtion vrelize Orhestrtor vrelize Business vrelize Opertions Mnger vrelize Log Insight Not pplile Not pplile Not pplile Not pplile vrli-lx01.hin.er opy own-ertifite-file+intermeite.er+root64.er omponent-hin-file For exmple, run the following ommn to generte ertifite hin file for the NSX Mnger for the mngement luster. opy mgmt01nsxm51.lx01.er+intermeite.er+root64.er mgmt01nsxm51.lx01.hin.er 86 VMwre, In.

87 Chpter 2 Region B Certifite Replement 8 Repet the proeure to generte signe ertifites for the other prouts. 9 For eh vcenter Server instne, rete ertifite hin file CACert.hin.er tht ontins the ertifites of the root n intermeite CA in the vcenter Server speifi foler. vcenter Server Mngement vcenter Server Compute vcenter Server Foler C:\mnul-erts\mgmt01v51.lx01 C:\mnul-erts\omp01v51.lx01 opy Intermeite.er+Root64.er CACert.hin.er 10 For Site Reovery Mnger, onvert the signe ertifite to PKCS#12 formt using OpenSSL on the Winows virtul mhines of Site Reovery Mnger n rete hin of CA ertifites. On the virtul mhine of Site Reovery Mnger, open ommn prompt, go to C:\mnul-erts n lote the following files. Region Certifite File Nme Region A mgmt01srm01.sfo01.er mgmt01srm01.sfo01_ssl.key Intermeite.er Root64.er Region B mgmt01srm51.lx01.er mgmt01srm51.lx01_ssl.key Intermeite.er Root64.er Run the following ommn to generte the PKCS#12 ertifite n CA ertifite hin. Region Region A Region B Commn openssl.exe pks12 -export -in mgmt01srm01.sfo01.er -inkey mgmt01srm01.sfo01_ssl.key -nme "srmprotete" -pssout pss:vmwre1! -out mgmt01srm01.sfo01.p12 opy Intermeite.er+Root64.er CACert.hin.er openssl.exe pks12 -export -in mgmt01srm51.lx01.er -inkey mgmt01srm51.lx01_ssl.key -nme "srmprotete" -pssout pss:vmwre1! -outmgmt01srm51.lx01.p12 opy Intermeite.er+Root64.er CACert.hin.er This ommn sets user nme srmprotete n psswor VMwre1! for the PKCS#12 file. Repet the steps to generte PKCS#12 file n CACert.hin.er for Site Reovery Mnger in the other region. VMwre, In. 87

88 Certifite Replement 11 For vsphere Replition, generte PKCS#12 file. On the Winows host open ommn prompt, nvigte to the C:\mnul-erts iretory n run the following ommn to rete CA ertifite hin n mhine ertifite files in the foler for vsphere Replition. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B Commn opy Intermeite.er+Root64.er CACert.hin.er opy mgmt01vrms01.sfo01.er+cacert.hin.er mgmt01vrms01.sfo01.hin.er opy Intermeite.er+Root64.er CACert.hin.er opy mgmt01vrms51.sfo01.er+cacert.hin.er mgmt01vrms51.lx01.hin.er Copy the CACert.hin.er file n mgmt01vrms01.sfo01.hin.er for Region A or mgmt01vrms51.lx01.hin.er for Region B to the /tmp/ssl foler on the vsphere Replition ppline. You n use sp, FileZill or WinSCP. Log in to the vsphere Replition ppline gin n run the following ommn to onvert the own ertifite to PKCS#12 formt. Speify psswor. You must hve psswor when you uplo n instll the ertifite. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B Commn openssl pks12 -export -in mgmt01vrms01.sfo01.hin.er -in keymgmt01vrms01.sfo01_ssl.key -nme "vrmsprotete" - pssoutpss:vmwre1! -out mgmt01vrms01.sfo01.p12 openssl pks12 -export -in mgmt01vrms51.lx01.hin.er -in keymgmt01vrms51.lx01_ssl.key -nme "vrmsprotete" - pssoutpss:vmwre1! -out mgmt01vrms51.lx01.p12 Get the internl HMS keystore psswor: /opt/vmwre/hms/in/hms-onfigtool -m list grep truststore e Import the ertifite into the HMS truststore: /usr/jv/efult/in/keytool -import -trusterts -lis root - file /tmp/ssl/cacert.er -keystore /opt/vmwre/hms/seurity/hms-truststore.jks - storepss keystore_psswor f g Enter yes t the ommn prompt n press Enter to omplete the ertifite import proess. Verify tht the ertifite is present in the HMS truststore. /usr/jv/efult/in/keytool -list -keystore /opt/vmwre/hms/seurity/hmstruststore.jks -storepss keystore_psswor v h i Copy mgmt01vrms01.sfo01.p12 or mgmt01vrms51.lx01.p12 to the eite foler on Winows host for ess to the t enter. Repet the steps to generte PCKS#12 ertifite for the vsphere Replition ppline in the other region. 88 VMwre, In.

89 Chpter 2 Region B Certifite Replement 12 For vrelize Log Insight, on the mster noe ppline generte.pem file tht ontins the key file n the signer n owner ertifites. Copy the CACert.hin.er file to C:\mnul-erts\vrli.lx01. Generte vrli.lx01-hin.pem file tht ontins the host ertifite with the intermeite ertifite n root ertifite, n the host privte key. C:\mnul-erts\vrli.lx01 opy vrli.lx01.ert+cacert.hin.er+vrli.lx01.key > vrli-lx01-hin.pem Reple Certifites of the Mngement Prouts in Region B After you generte ertifite for mngement prout in Region B tht is signe y the ertifite uthority on the prent or hil AD server in the region, reple the efult ertifite or n expire ertifite with newly-signe one on the prout instne in the region.. Prerequisites Generte ertifite for the prouts in this vlite esign in one of the following wys: Use the VMwre Vlite Design Certifite Utility. See Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region B, on pge 65. Generte Certifite Signing Requests mnully n use them to hve the prout ertifites signe y the ertifite uthority on the hil AD server in Region B. See Generte Mnully Key Pirs n Certifite Signing Requests for the Mngement Components in Region B, on pge 68 n Generte CA-Signe Certifites for the SDDC Mngement Components in Region B, on pge Reple Certifites of the Virtul Infrstruture Components in Region B on pge 89 In this esign, you reple user-fing ertifites in Region B with ertifites tht re signe y Mirosoft Certifite Authority (CA). If the CA-signe ertifites of the mngement omponents expire fter you eploy the SDDC, you must reple them iniviully on eh ffete omponent. 2 Reple Certifites of the Opertions Mngement Components in Region B on pge 112 If the ertifite of vrelize Log Insight in Region B expires, reple it n upte it on the mngement omponents in the region to mintin seure onnetion. Reple Certifites of the Virtul Infrstruture Components in Region B In this esign, you reple user-fing ertifites in Region B with ertifites tht re signe y Mirosoft Certifite Authority (CA). If the CA-signe ertifites of the mngement omponents expire fter you eploy the SDDC, you must reple them iniviully on eh ffete omponent. 1 Reple the Pltform Servies Controller Certifites in Region B on pge 90 You reple the mhine SSL ertifite on eh Pltform Servies Controller instne with ustom ertifite tht is signe y the ertifite uthority (CA). 2 Reple vcenter Server Certifites in Region B on pge 94 Reple the ertifites on the Mngement vcenter Server n Compute vcenter Server in Region B n reonnet them to the other mngement omponents to upte the new ertifites on these omponents. 3 Reple the Defult Certifite with Custom Certifite on the ESXi Hosts in Region B on pge 100 After you otin signe ertifites for the mngement ESXi hosts in Region B, use it to reple the efult VMwre Certifite Authority (VMCA) signe ertifites on the hosts. VMwre, In. 89

90 Certifite Replement 4 Reple the NSX Mnger Certifites in Region B on pge 102 After you reple the ertifites of ll Pltform Servies Controller instnes n ll vcenter Server instnes, reple the ertifites for the NSX Mnger instnes. 5 Reple the Certifite of vsphere Dt Protetion in Region B on pge 105 vsphere Dt Protetion omes with efult self-signe ertifite. Instll CA-signe ertifite tht uthentites vsphere Dt Protetion over HTTPS. 6 Reple the VMwre Site Reovery Mnger Certifites on pge 108 After you reple the ertifites of ll Pltform Servies Controllers, vcenter Server instnes n NSX Mngers, reple the ertifites on the Site Reovery Mnger server instnes. 7 Instll the CA-Signe Certifite on vsphere Replition on pge 110 After you generte PKCS#12 ertifite file, reple the efult VMwre-signe ertifite with this ertifite on vsphere Replition in oth regions. Reple the Pltform Servies Controller Certifites in Region B You reple the mhine SSL ertifite on eh Pltform Servies Controller instne with ustom ertifite tht is signe y the ertifite uthority (CA). Sine the Pltform Servies Controller instnes re lo-lne, the mhine ertifite on oth instnes in the region must e the sme. The ertifite must hve ommon nme tht is equl to the lo-lne Fully Qulifie Domin Nme (FQDN). Eh Pltform Servies Controller FQDN n short nme, n the lo lne FQDN n short nme must e in the Sujet Alternte Nme (SAN) of the generte ertifite. You must repet this proeure twie: first on the Pltform Servies Controller for the Mngement vcenter Server, n then on the Pltform Servies Controller for the Compute vcenter Server. Tle 2 3. Certifite-Relte Files on Pltform Servies Controllers Pltform Servies Controller Certifite File Nme Replement Orer mgmt01ps51.lx01.rinpole.lol lx01ps51.lx01.key lx01ps51.lx01.3.pem (CertGenVVD) lx01ps51.lx01.1.hin.er (Mnul) hinroot64.er omp01ps51.lx01.rinpole.lol lx01ps51.lx01.key lx01ps51.lx01.3.pem (CertGenVVD) lx01ps51.lx01.1.hin.er (Mnul) hinroot64.er First Seon 1 Log in to the Mngement vcenter Server y using the vsphere We Client. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor 90 VMwre, In.

91 Chpter 2 Region B Certifite Replement 2 Disle the Pltform Servies Controller for the shre ege n ompute luster omp01ps51 in the lo lner to route ll trffi to the Pltform Servies Controller for the mngement luster mgmt01ps51. From the vsphere We Client Home menu, selet Network & Seurity. In the Nvigtor, selet NSX Eges. From the NSX Mnger rop-own menu, selet e f g h Doule-lik the LAX01PSC51 ege evie to open its network settings. On the Mnge t, lik the Lo Blner t n lik Pools. Selet pool-1 n lik Eit. Selet the omp01ps51 memer, lik Eit, selet Disle from the Stte rop-own menu n lik OK. Repet Step 2f n Step 2g to isle omp01ps51 in pool-2. 3 Disonnet the NSX Mnger instnes from the Pltform Servies Controller temporrily. Open We Browser n go to Log in using the following reentils User nme Psswor Vlue min nsx_mnger_min_psswor e Clik Mnge vcenter Registrtion Clik the Unonfigure utton next to Lookup Servie URL. Repet the steps on 4 Log in to the Pltform Servies Contorller y using Seure Shell (SSH) lient. Open n SSH onnetion to mgmt01ps51.lx01.rinpole.lol. Log in using the following reentils. Usernme Psswor Vlue root mgmtps_root_psswor 5 Chnge the Pltform Servies Controller ommn shell to the Bsh shell so tht you n use seure opy sp onnetions. shell hsh -s /in/sh root 6 Copy the generte ertifite files lx01ps51.lx01.key, lx01ps51.lx01.3.pem n hinroot64.er from the Winows host to the /tmp/ssl iretory on the Pltform Servies Controller. Use sp, FileZill or WinSCP to opy the files. 7 Renme lx01ps51.lx01.3.pem to lx01ps51.lx01.1.hin.er. VMwre, In. 91

92 Certifite Replement 8 A the root ertifite to the VMwre Enpoint Certifite Store s truste root ertifite using following ommn. Enter the vcenter Single Sign-On psswor when prompte. /usr/li/vmwre-vmf/in/ir-li trusteert pulish --hin --ert /tmp/ssl/hinroot64.er 9 Reple the ertifite on the Pltform Servies Controller. Strt the vsphere Certifite Mnger utility on the Pltform Servies Controller. /usr/li/vmwre-vm/in/ertifite-mnger e f g Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite) Enter efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min_psswor psswor. Selet Option 2 (Import ustom ertifite(s) n key(s) to reple existing Mhine SSL ertifite). When prompte for the ustom ertifite, enter /tmp/ssl/lx01ps51.lx01.1.hin.er. When prompte for the ustom key, enter /tmp/ssl/lx01ps51.lx01.key. When prompte for the signing ertifite, enter /tmp/ssl/hinroot64.er. h When prompte to ontinue opertion, enter Y. Wit until the Pltform Servies Controller servies restrt suessfully. 10 Vlite tht the new ertifite hs een instlle suessfully. Open We Browser n go to Verify tht the We rowser shows the new ertifite. 11 Restrt the VAMI servie to upte ertifite for the ppline mngement interfe. Go k to the mgmt01ps51.lx01.rinpole.lol SSH terminl. Enter the following ommn to upte ertifite for the ppline mngement interfe. /et/init./vmi-lighttp restrt 92 VMwre, In.

93 Chpter 2 Region B Certifite Replement 12 Swith the shell k to the ppline shell. hsh -s /in/pplinesh root 13 Repet Step 4 to Step 11 to reple the ertifite on omp01ps51.lx01.rinpole.lol. 14 Restrt the servies on the Mngement vcenter Server. Open n SSH onnetion to mgmt01v51.lx01.rinpole.lol. Log in using the following reentils. Usernme Psswor Vlues root mgmtv_root_psswor Swith from ppline shell to the Bsh shell. shell Restrt vcenter Server servies y using the following ommn. servie-ontrol --stop --ll servie-ontrol --strt --ll 15 Restore lo lner onfigurtion. Open We Browser n go to Log in using the following reentils Usernme Psswor Vlues ministrtor@vsphere.lol vsphere_min_psswor e f g h i j From the vsphere We Client Home menu, selet Network & Seurity. In the Nvigtor, selet NSX Eges. Selet from the NSX Mnger rop-own menu. Doule-lik the LAX01PSC51 ege evie to open its network settings. On the Mnge t, lik the Lo Blner t n lik Pools. Selet pool-1 n lik Eit. Selet the omp01ps51 memer, lik Eit, selet Enle from the Stte rop-own menu, n lik OK. Repet Step 15h n Step 15i to enle omp01ps51 in pool Repet Step 15 to restrt the servies on the Compute vcenter Server omp01v51.lx01.rinpole.lol in Region B n on the vcenter Server instnes mgmt01v01.sfo01.rinpole.lol n omp01v01.sfo01.rinpole.lol in Region A. Wht to o next If you reple only the ertifite of the Pltform Servies Controller instnes, reonnet the NSX Mngers to the Pltform Servies Controller lo lner n to vcenter Server fter you instll the ustom ertifites on the noes. See Connet NSX Mnger to the Mngement vcenter Server in Region B, on pge 96. VMwre, In. 93

94 Certifite Replement If you reple the ertifites of vcenter Server fter those of the Pltform Servies Controllers, see Reple vcenter Server Certifites in Region B, on pge 94. Reple vcenter Server Certifites in Region B Reple the ertifites on the Mngement vcenter Server n Compute vcenter Server in Region B n reonnet them to the other mngement omponents to upte the new ertifites on these omponents. 1 Reple the vcenter Server Certifites in Region B on pge 94 After you reple the Pltform Servies Controller ertifite, you reple the vcenter Server mhine SSL ertifite. You generte vcenter Server ertifite mnully or y using the CertGenVVD tool. 2 Connet NSX Mnger to the Mngement vcenter Server in Region B on pge 96 After you reple the ertifites of the Pltform Servies Controller n vcenter Server instnes in Region B, you reonnet the NSX Mngers to the vcenter Server noes in the region. 3 Connet vsphere Dt Protetion to vcenter Server After Certifite Replement in Region B on pge 97 After you reple the ertifites on the vcenter Server noes in Region B, onnet vsphere Dt Protetion to the Mngement vcenter Server to upte the vcenter Server ertifite on vsphere Dt Protetion. 4 Upte the vcenter Server Certifites on the Clou Mngement Pltform in Region B on pge 97 After you reple the ertifites on the vcenter Server instnes in Region B, reonnet vrelize Orhestrtor to vcenter Server. 5 Upte the vcenter Server Certifites on vrelize Opertions Mnger in Region B on pge 99 After you hnge the ertifite of the vcenter Server instnes in Region B, upte the ertifite on the onnete vrelize Opertions Mnger noe y reonneting the vcenter Apter instnes. Reple the vcenter Server Certifites in Region B After you reple the Pltform Servies Controller ertifite, you reple the vcenter Server mhine SSL ertifite. You generte vcenter Server ertifite mnully or y using the CertGenVVD tool. You reple ertifites twie, one for eh vcenter Server instne. You n strt repling ertifites on Mngement vcenter Server mgmt01v51.lx01.rinpole.lol first. Tle 2 4. Certifite-Relte Files on the vcenter Server Instnes vcenter Server FQDN Files for Certifite Replement Replement Orer mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole. lol mgmt01v51.lx01_ssl.key mgmt01v51.lx01.3.pem (CertGenVVD2.1) mgmt01v51.lx01.1.hin.er (Mnul) hinroot64.er omp01v51.lx01_ssl.key omp01v51.lx01.3.pem (CertGenVVD2.1) omp01v51.lx01.1.hin.er (Mnul) hinroot64.er After you reple the ertifite on the mngement Pltform Servies Controller. After you reple the ertifite on the ompute Pltform Servies Controller. 1 Use the sp ommn, FileZill, or WinSCP to opy the mhine n CA ertifite files to the /tmp/ssl iretory on the Mngement vcenter Server. 94 VMwre, In.

95 Chpter 2 Region B Certifite Replement 2 Log in to the vcenter Server instne y using Seure Shell lient. Open n SSH onnetion to the FQDN of the vcenter Server ppline. mgmt01v51.lx01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root venter_server_root_psswor 3 Reple the CA-signe ertifite on the vcenter Server instne. A the root ertifite to the VMwre Enpoint Certifite Store s truste root ertifite using the following ommn n enter the vcenter Single Sign-On psswor when prompte. /usr/li/vmwre-vmf/in/ir-li trusteert pulish --hin -- ert /tmp/ssl/hinroot64.er Renme mgmt01v51.lx01.3.pem to mgmt01v51.lx01.1.hin.er. mv /tmp/ssl/mgmt01v51.lx01.3.pem /tmp/ssl/mgmt01v51.lx01.1.hin.er Strt the vsphere Certifite Mnger utility on the vcenter Server instne. /usr/li/vmwre-vm/in/ertifite-mnger e Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite), enter efult vcenter Single Sign-On user nme ministrtor@vsphere.lol n the vsphere_min-psswor psswor. When prompte for the Infrstruture Server IP, enter the IP ress of the Pltform Servies Controller tht is onnete to this vcenter Server instne. vcenter Server IP Aress of Connete Pltform Servies Controller mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol f g Selet Option 2 (Import ustom ertifite(s) n key(s) to reple existing Mhine SSL ertifite). When prompte, provie the full pth to the ustom ertifite, the root ertifite file, n the key file tht hve een generte y vsphere Certifite Mnger erlier, n onfirm the import with Yes (Y). vcenter Server mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol Pth to Certifite-Relte Files Plese provie vli ustom ertifite for Mhine SSL. File: /tmp/ssl/mgmt01v51.lx01.1.hin.er Plese provie vli ustom key for Mhine SSL. File: /tmp/ssl/mgmt01v51.lx01.key Plese provie the signing ertifite of the Mhine SSL ertifite File: /tmp/ssl/hinroot64.er Plese provie vli ustom ertifite for Mhine SSL. File: /tmp/ssl/omp01v51.lx01.1.hin.er Plese provie vli ustom key for Mhine SSL. File: /tmp/ssl/omp01v51.lx01.key Plese provie the signing ertifite of the Mhine SSL ertifite File: /tmp/ssl/hinroot64.er VMwre, In. 95

96 Certifite Replement 4 After Sttus shows 100% Complete, wit severl minutes until ll vcenter Server servies re restrte. 5 Log into the vsphere We lient to verify tht the ertifite replement is suessful. Open We rowser n go to Log in using the following reentils. s User nme Psswor Vlues ministrtor@vsphere.lol vsphere_min_psswor 6 After you reple the ertifite on the mgmt01v51.lx01.rinpole.lol, repet the proeure to reple the ertifite on the ompute vcenter Server omp01v51.lx01.rinpole.lol. Connet NSX Mnger to the Mngement vcenter Server in Region B After you reple the ertifites of the Pltform Servies Controller n vcenter Server instnes in Region B, you reonnet the NSX Mngers to the vcenter Server noes in the region. 1 Log in to the ppline interfe of the Mngement NSX Mnger. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min nsx_mnger_min_psswor 2 Clik Mnge vcenter Registrtion. 3 Uner Lookup Servie, lik Eit. 4 In the Lookup Servie ilog ox, enter the following settings n lik OK. Lookup Servie IP Vlue for Both NSX Mngers lx01ps51.lx01.rinpole.lol Lookup Servie Port 443 SSO Aministrtor User Nme Psswor ministrtor@vsphere.lol vsphere_min_psswor 5 In the Trust Certifite? ilog ox, lik Yes. 6 Uner vcenter Server, lik Eit. 96 VMwre, In.

97 Chpter 2 Region B Certifite Replement 7 In the vcenter Server ilog ox, enter the following settings, n lik OK. Vlue for NSX Mnger for the Mngement Cluster Vlue for NSX Mnger for the Shre Ege n Compute Cluster vcenter Server mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol vcenter User Nme sv-nsxmnger@rinpole.lol sv-nsxmnger@rinpole.lol Psswor sv-nsxmnger_psswor sv-nsxmnger_psswor 8 In the Trust Certifite? ilog ox, lik Yes. 9 Wit for the Sttus initors for the Lookup Servie n vcenter Server to hnge to the Connete sttus. 10 Repet the proeure to onnet NSX Mnger for the shre ege n ompute luster to the Pltform Servies Controller lo lner n Compute vcenter Server. Connet vsphere Dt Protetion to vcenter Server After Certifite Replement in Region B After you reple the ertifites on the vcenter Server noes in Region B, onnet vsphere Dt Protetion to the Mngement vcenter Server to upte the vcenter Server ertifite on vsphere Dt Protetion. You reonnet vcenter Server to vsphere Dt Protetion to instll the new ertifite of vcenter Server. 1 Log in to vcenter Server y using the vsphere We Client. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor 2 On the vsphere We Client Home pge, lik the VDP ion. 3 On the Welome to vsphere Dt Protetion pge, selet mgmt01vp51 from the VDP Appline ropown menu n lik Connet. Upte the vcenter Server Certifites on the Clou Mngement Pltform in Region B After you reple the ertifites on the vcenter Server instnes in Region B, reonnet vrelize Orhestrtor to vcenter Server. 1 Reonnet vrelize Orhestrtor to vcenter Server. Open We Browser n go to Clik Strt Orhestrtor Client. VMwre, In. 97

98 Certifite Replement On the VMwre vrelize Orhestrtor login pge, log in to the vrelize Orhestrtor Host A y using the following host nme n reentils. Host nme User nme Psswor Vlue vr01vro01.rinpole.lol:8281 sv-vr sv-vr-psswor e f g h In the left pne, lik Workflows, n nvigte to Lirry > vcenter > Configurtion. Right-lik the Upte vcenter Server instne workflow n lik Strt Workflow. From the vcenter Server instne rop-own menu, selet n lik Next. Enter the psswor for the sv-vro@rinpole.lol user ount n lik Sumit. Clik Yes to ignore the ertifite wrnings n lik Next. 2 Reonnet vrelize Business with the Compute vcenter Server. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue root vr_olletor_root_psswor e f Clik Mnge Privte Clou Connetions, selet vcenter Server, selet the omp01v51.lxo01.rinpole.lol entry n lik the Eit ion. In the Eit vcenter Server Connetion ilog ox, enter the psswor for the svvr@rinpole.lol user n lik Sve. In the SSL Certifite wrning ilog ox, lik Instll. In the Suess ilog ox, lik OK. 3 Rerete the vsphere enpoint in vrelize Automtion. Open We rowser n go to Log in using the following reentils. User nme Psswor Domin Vlue it-tenntmin it-tenntmin_psswor rinpole.lol Nvigte to Infrstruture > Enpoints > Creentils, selet omp01v51lx01 min n lik Eit. 98 VMwre, In.

99 Chpter 2 Region B Certifite Replement On the Creentils pge, enter the psswor for the vrelize Automtion reentil for the ministrtor of omp01v51.lx01.rinpole.lol, n lik Sve. Nme Desription User Nme Psswor Vlue omp01v51lx01 min Aministrtor of omp01v51.lx01.rinpole.lol sv-vr@rinpole.lol sv_vr_psswor e f g h Nvigte to Infrstruture > Enpoints > Enpoints. Hve your mouse over omp01v01.lx01.rinpole.lol n lik Eit from the menu. On the Eit Enopint - vsphere (vcenter) pge, lik OK. A ertifite wrning shoul popup, lik OK to ept the new ertifite Upte the vcenter Server Certifites on vrelize Opertions Mnger in Region B After you hnge the ertifite of the vcenter Server instnes in Region B, upte the ertifite on the onnete vrelize Opertions Mnger noe y reonneting the vcenter Apter instnes. 1 Log in to vrelize Opertions Mnger y using the ministrtion onsole. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrops_min_psswor 2 In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Certifites. 3 Selet the row tht ontins CN=mgmt01v51.lx01.rinpole.lol n lik the Delete ion. 4 In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Solutions. 5 Selet the VMwre vsphere solution n lik Configure. VMwre, In. 99

100 Certifite Replement 6 In the Mnge Solutions ilog ox, selet mgmt01v51-lx01, lik Test Connetion, ept the new ertifite of the Mngement vcenter Server n lik Sve s. 7 Repet the proeure to elete the ertifite tht is instlle for the Compute vcenter Server omp01v51.lx01.rinpole.lol n reonnet vrelize Opertions Mnger to the Compute vcenter Server to instll the new ertifite. Reple the Defult Certifite with Custom Certifite on the ESXi Hosts in Region B After you otin signe ertifites for the mngement ESXi hosts in Region B, use it to reple the efult VMwre Certifite Authority (VMCA) signe ertifites on the hosts. 1 Chnge the ertifite moe for the ESXi hosts in the mngement luster. The hosts re not utomtilly provisione with VMCA ertifites when you refresh their ertifites. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vshpere_min_psswor e f In the Nvigtor, uner Hosts n Cluster, selet mgmt01v51.lx01.rinpole.lol, n lik the Configure t. Uner s, lik Avne n lik Eit. In the Filter ox, enter ertmgmt n press Enter to isply only ertifite mngement properties. Chnge the vlue of the vpx.ertmgmt.moe property to ustom n lik OK. 100 VMwre, In.

101 Chpter 2 Region B Certifite Replement g h From the Home menu, selet Aministrtion, n uner Deployment on the Aministrtion pge selet System Configurtion. Uner System Configurtion, selet Servies, selet the VMwre vcenter Server (mgmt01v51.lx01.rinpole.lol ) n selet Ations > Restrt. 2 A the CA root ertifite to the vcenter Server TRUSTED_ROOTS store. If you lrey reple the ertifite for mgmt01v51.lx01.rinpole.lol, you e the root ertifite to the TRUSTED_ROOTS stores. Open n SSH onnetion to mgmt01v51.lx01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root mgmtv_root_psswor Copy hinroot64.er from the Winows host tht you use to ess the t enter to the temporry iretory /tmp/ssl on the vcenter Server Appline. You n use sp, FileZill or WinSCP. Run the following ommn. /usr/li/vmwre-vmf/in/ves-li entry rete --store TRUSTED_ROOTS --lis RinpoleCA.rt --ert /tmp/ssl/hinroot64.er 3 Reple the ertifites on ESXi hosts. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ventermin vshpere_min_psswor e f g h From the Home menu of the vsphere We Client, selet Hosts n Clusters. Uner the LAX01 t enter, right-lik the mgmt01esx51.lx01.rinpole.lol vcenter Server ojet n selet Mintenne Moe > Enter Mintenne Moe. Selet Move powere-off n suspene virtul mhines to other hosts in the luster n lik OK. After the mintenne tsk is omplete, open n SSH onnetion to mgmt01esx51.lx01.rinpole.lol. Trnsfer mgmt01esx51.key n mgmt01esx51.er from the Winows host to the /et/vmwre/ssl iretory on the host. Run the following ommns. mv rui.rt orig.rui.rt mv rui.key orig.rui.key mv mgmt01esx51.key rui.key mv mgmt01esx51.er rui.rt i j Run the ui ommn to open the Diret Console User Interfe (DCUI). Press the F2 key to ess the System Customiztion menu. VMwre, In. 101

102 Certifite Replement k l m Selet Trouleshooting Options n press Enter. Selet Restrt Mngement Agents n press Enter. Press F11 key to onfirm the restrt. 4 Verify tht the ustom ertifite is instlle. Open We rowser n go to Verify tht the ertifite returne y the host is signe y Rinpole inste of y VMwre. 5 Exit the mintenne moe of the host. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor e From the Home menu, selet Hosts n Clusters. Uner the LAX01-Mgmt01 t enter, right-lik the mgmt01esx51.lx01.rinpole.lol vcenter Server ojet n selet Mintenne Moe > Exit Mintenne Moe. Mke sure tht no wrning messge out n untruste mgmt01esx51.lx01.rinpole.lol ertifite ppers. 6 Repet Step 3 to Step 5 for the rest of the mngement ESXi hosts. ESX hosts Mnge y Certifite file nmes mgmt01esx52.lx01.rinpole.lol mgmt01v51.lx01.rinpole.lol mgmt01esx52.key mgmt01esx52.ert mgmt01esx53.lx01.rinpole.lol mgmt01v51.lx01.rinpole.lol mgmt01esx53.key mgmt01esx53.ert mgmt01esx54.lx01.rinpole.lol mgmt01v51.lx01.rinpole.lol mgmt01esx54.key mgmt01esx54.ert omp01esx51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol omp01esx51.key omp01esx51.ert omp01esx52.lx01.rinpole.lol omp01v51.lx01.rinpole.lol omp01esx52.key omp01esx52.ert omp01esx53.lx01.rinpole.lol omp01v51.lx01.rinpole.lol omp01esx53.key omp01esx53.ert omp01esx54.lx01.rinpole.lol omp01v51.lx01.rinpole.lol omp01esx54.key omp01esx54.ert Reple the NSX Mnger Certifites in Region B After you reple the ertifites of ll Pltform Servies Controller instnes n ll vcenter Server instnes, reple the ertifites for the NSX Mnger instnes. You reple ertifites twie, one for eh NSX Mnger. You strt y repling ertifites on NSX Mnger for the mgmt01nsxm51.lx01.rinpole.lol mngement luster. 102 VMwre, In.

103 Chpter 2 Region B Certifite Replement Tle 2 5. Certifite-Relte Files on the NSX Mnger Instnes in Region B NSX Mnger FQDN Certifite File Nme Replement Time mgmt01nsxm51.lx01.rinpole.lol mgmt01nsxm51.lx01.hin.er from mnul genertion mgmt01nsxm51.lx01.4.p12 from the CertGenVVD tool omp01nsxm51.lx01.rinpole.lol omp01nsxm51.lx01.er.hin.er from mnul genertion omp01nsxm51.lx01.4.p12 from the CertGenVVD tool After you reple the ertifite on the Mngement vcenter Server After you reple the ertifite on the Compute vcenter Server 1 On the Winows host tht hs ess to the t enter, log in to the NSX Mnger We interfe. Open We rowser n go to following URL. NSX Mnger NSX Mnger for the mngement luster NSX Mnger for the shre ompute n ege luster URL Log in using the following reentils. Vlue User nme min Psswor nsx_mnger_min_psswor 2 On the Mnge t, lik SSL Certifites, lik Import n provie the ertifite hin file. 3 Restrt the NSX Mnger to propgte the CA-signe ertifite. In the right orner of the NSX Mnger pge, lik the s ion. From the rop-own menu, selet Reoot Appline. 4 Re-register the NSX Mnger to the Mngement vcenter Server. Open We rowser n go to the NSX Mnger We interfe. NSX Mnger NSX Mnger for the mngement luster NSX Mnger for the shre ompute n ege luster URL Log in using the following reentils. User nme Psswor Vlue min nsx_mngr_min_psswor Clik Mnge vcenter Registrtion. Uner Lookup Servie, lik the Eit utton. VMwre, In. 103

104 Certifite Replement e In the Lookup Servie ilog ox, enter the following settings, n lik OK. Vlue Lookup Servie IP lx01ps51.lx01.rinpole.lol Lookup Servie Port 443 SSO Aministrtor User Nme ministrtor@vsphere.lol Psswor vsphere_min_psswor f g h In the Trust Certifite? ilog ox, lik Yes. Uner vcenter Server, lik the Eit utton. In the vcenter Server ilog ox, enter the following settings, n lik OK. Vlue for the NSX Mnger for the Mngement Cluster Vlue for the NSX Mnger for the Shre Ege n Compute Cluster vcenter Server mgmt01v51.lx01.rinpole.lol omp01v51.lx01.rinpole.lol vcenter User Nme Psswor sv-nsxmnger@rinpole.lol sv-nsxmnger_psswor i j In the Trust Certifite? ilog ox, lik Yes. Wit until the Sttus initors for the Lookup Servie n vcenter Server hnge to Connete. 5 Repet the steps for the NSX Mnger for the shre ompute n ege luster. 6 Reonnet to the NSX Mnger instnes in Region A. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor e f g h i From the vsphere We Client Home menu, selet Networking & Seurity. Clik Instlltion in the Nvigtor. On the Mngement t, selet the instne from the NSX Mnger menu. If primry n seonry noes re not syning orretly Selet Ations > Disonnet from Primry NSX Mnger. On the Mngement t, selet the instne from the NSX Mnger rop-own menu. Selet Ations > A Seonry NSX Mnger 104 VMwre, In.

105 Chpter 2 Region B Certifite Replement j In the A Seonry NSX Mnger ilog ox, enter the following settings n lik OK. Vlue NSX Mnger Usernme Psswor Confirm Psswor min mgmtnsx_min_psswor mgmtnsx_min_psswor k l In the Trust Certifite onfirmtion ilog ox, lik Yes. Repet Step 6e to Step 6k for the NSX Mnger instnes for the shre ege n ompute luster. Reonnet the seonry NSX Mnger for the shre ege n ompute luster in Region B to the primry NSX Mnger for the shre ege n ompute luster in Region A. 7 Reonnet the NSX Mnger instnes to vrelize Opertions Mnger. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrops_min_psswor e f g h i j In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Certifites. Selet the row tht ontins CN=mgmt01nsxm51.lx01.rinpole.lol n lik the Delete ion. Selet the row tht ontins CN=omp01nsxm51.lx01.rinpole.lol n lik the Delete ion. In the left pne of vrelize Opertions Mnger, lik Aministrtion n lik Solutions. From the solution tle on the Solutions pge, selet the Mngement Pk for NSX-vSphere solution, n lik the Configure ion t the top. In the Mnge Solutions ilog ox, from the Apter Type tle t the top, selet NSX-vSphere Apter. Clik the mgmt01nsxm51-lx01 pter instne, lik Test Connetion, ept the new ertifite n lik Sve settings. Clik omp01nsxm51-lx01 pter instne, lik Test Connetion, ept the new ertifite n lik Sve settings. Reple the Certifite of vsphere Dt Protetion in Region B vsphere Dt Protetion omes with efult self-signe ertifite. Instll CA-signe ertifite tht uthentites vsphere Dt Protetion over HTTPS. Instll CertGenVVD-Generte Certifite on vsphere Dt Protetion in Region B on pge 106 After you use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites for the SDDC mngement omponents, reple the efult VMwre-signe ertifite on vsphere Dt Protetion in Region B with the ertifite tht is generte y CertGenVVD. Instll Mnully Generte Certifite on vsphere Dt Protetion in Region B on pge 106 Reple the efult VMwre-signe ertifite on vsphere Dt Protetion in Region B with the ertifite tht is signe y the Mirosoft CA on the 01lx.lx01.rinpole.lol AD server. VMwre, In. 105

106 Certifite Replement Instll CertGenVVD-Generte Certifite on vsphere Dt Protetion in Region B After you use the VMwre Vlite Design Certifite Genertion Utility (CertGenVVD) to generte ertifites for the SDDC mngement omponents, reple the efult VMwre-signe ertifite on vsphere Dt Protetion in Region B with the ertifite tht is generte y CertGenVVD. Prerequisites Generte the Mirosoft CA-signe ertifite y using the CertGenVVD tool. See Use the Certifite Genertion Utility to Generte Certifites Automtilly in Region A, on pge 9. 1 Copy the.keystore file tht CertGenVVD tool generte to the /root foler on the vsphere Dt Protetion virtul ppline. You n use sp, FileZill or WinSCP. 2 Log in to the vsphere Dt Protetion ppline. Open n SSH onnetion to the virtul mhine mgmt01vp51.lx01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 3 Restrt ll vsphere Dt Protetion servies y running the following ommns. pntl stop ll pntl strt ll 4 Run the Fingerprint.sh sript to upte the vsphere Dt Protetion server thumprint isplye in the VM onsole welome sreen. /usr/lol/vmr/in/fingerprint.sh Instll Mnully Generte Certifite on vsphere Dt Protetion in Region B Reple the efult VMwre-signe ertifite on vsphere Dt Protetion in Region B with the ertifite tht is signe y the Mirosoft CA on the 01lx.lx01.rinpole.lol AD server. Prerequisites Generte ertifite for vsphere Dt Protetion on the 01lx.lx01.rinpole.lol AD server. See Generte CA-Signe Certifites for the SDDC Mngement Components in Region B, on pge On the Winows host tht hs ess to the t enter, opy the vp.p7 ertifite file to the /root foler on the vsphere Dt Protetion virtul ppline. You n use sp, FileZill or WinSCP. 2 Log in to the vsphere Dt Protetion ppline. Open n SSH onnetion to the virtul mhine mgmt01vp51.lx01.rinpole.lol. Log in using the following reentils. User nme Psswor Vlue root vp_root_psswor 106 VMwre, In.

107 Chpter 2 Region B Certifite Replement 3 Verify tht the vsphere Dt Protetion servies re stoppe. emwepp.sh --test If the servies re running, stop them y running the following ommn. emwepp.sh --stop 4 Import the ertifite. Run the following onsole ommn. /usr/jv/ltest/in/keytool -import -lis tomt -keystore /root/.keystore - file /root/vp.p7 When prompte for the keystore psswor, enter hngeit. When prompte to trust the ertifite, enter yes n press Enter. VMwre, In. 107

108 Certifite Replement 5 Verify tht the ertifite is instlle suessfully. Run the following ommn. /usr/jv/ltest/in/keytool -list -v -keystore /root/.keystore -storepss hngeit - keypss hngeit grep tomt Verify tht the output ontins Alis nme: tomt. 6 Run the Fingerprint.sh sript to upte the vsphere Dt Protetion server thumprint isplye in the VM onsole welome sreen. /usr/lol/vmr/in/fingerprint.sh This sript oes not return ny output. 7 Strt the vsphere Dt Protetion servies. emwepp.sh --strt Reple the VMwre Site Reovery Mnger Certifites After you reple the ertifites of ll Pltform Servies Controllers, vcenter Server instnes n NSX Mngers, reple the ertifites on the Site Reovery Mnger server instnes. You reple ertifites twie, one for eh Site Reovery Mnger. You strt y repling ertifites on mgmt01srm01.sfo01.rinpole.lol, the Site Reovery Mnger in Region A. Tle 2 6. Certifite-Relte Files for Site Reovery Mnger in Region A n Region B File Nme Site Reovery Mnger in Region A Site Reovery Mnger in Region B CA Certifite Chin hinroot64.er hinroot64.er PKCS#12 File Nme from Mnul Genertion PKCS#12 File Nme from the CertGenVVD tool mgmt01srm01.sfo01.p12 mgmt01srm01.sfo01.5.p12 mgmt01srm51.lx01.p12 mgmt01srm51.lx01.5.p VMwre, In.

109 Chpter 2 Region B Certifite Replement 1 Log in to the Site Reovery Mnger virtul mhine y using Remote Desktop Protool (RDP) lient. Open n RDP onnetion to the following virtul mhine. Region Region A Region B Site Reovery Mnger mgmt01srm01.sfo01.rinpole.lol mgmt01srm51.lx01.rinpole.lol Log in using the following reentils. User nme Psswor Vlue Winows ministrtor user winows_ministrtor_psswor 2 Instll the CA ertifites in the Winows truste root ertifite store of the Site Reovery Mnger virtul mhine. Lote the hinroot64.er file in C:\mnul-erts foler. Doule-lik the hinroot64.er file to open Certifite import ilog ox. In the Certifite ilog ox, selet the Instll Certifite option. The Certifite Import Wizr ppers. e f Selet the Lol Mhine option for the Store Lotion n lik Next. Selet Ple ll ertifites in the following store option, rowse to selet the Truste Root Certifite Authorities store n lik OK. On the Completing the Certifite Import Wizr pge, lik Finish. 3 Reple the ertifite on Site Reovery Mnger with the one tht you generte mnully or y using the CertGenVVD tool. e f Open Progrms n Fetures from the Winows Control Pnel. From the list of progrms, selet VMwre vcenter Site Reovery Mnger n lik Chnge. Selet the Moify option on the Mintenne Options sreen n follow the wizr until you reh the Certifite Type sreen. Selet the Use PKCS#12 ertifite file option n lik Next. Browse to C:\mnul-erts, selet the mgmt01srm01.sfo01.p12 or mgmt01srm51.lx01.p12 file, n enter the ertifite psswor VMwre1! tht you speifie when generting the PKCS#12 file. Clik Yes in the ertifite wrning ilog ox n omplete the moify instlltion wizr. 4 To restore the onnetion etween the two Site Reovery Mnger sites fter repling the ertifites with CA-signe ertifites. Open We Browser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor In the vsphere We Client, lik Site Reovery > Sites. VMwre, In. 109

110 Certifite Replement e f Right-lik the site mgmt01v01.sfo01.rinpole.lol n selet Reonfigure Piring. Enter the ress of the Pltform Servies Controller lx01ps51.lx01.rinpole.lol on the remote site n lik Next. Selet the vcenter Server instne mgmt01v51.lx01.rinpole.lol with whih Site Reovery Mnger is registere on the remote site, enter the vcenter Single Sign-On ministrtor user nme ministrtor@vsphere.lol n vsphere_min_psswor psswor, n lik Finish. 5 Repet the proeure to reple the efult VMwre-signe ertifite with this one on mgmt01srm51.lx01.rinpole.lol. Instll the CA-Signe Certifite on vsphere Replition After you generte PKCS#12 ertifite file, reple the efult VMwre-signe ertifite with this ertifite on vsphere Replition in oth regions. You n strt repling ertifites on vsphere Replition in Region A mgmt01vrms01.sfo01.rinpole.lol first. Tle 2 7. PKCS#12 Files for vsphere Replition in Region A n Region B vsphere Replition FQDN PKCS#12 File Nme from Mnul Genertion PKCS#12 File Nme from the CertGenVVD Tool mgmt01vrms01.sfo01.rinpole.lol mgmt01vrms01.sfo01.p12 mgmt01vrms01.sfo01.5.p12 mgmt01vrms51.lx01.rinpole.lol mgmt01vrms01.lx01.p12 mgmt01vrms51.lx01.5.p12 1 Uplo the PKCS#12 file to vsphere Replition y using the vsphere Replition Appline interfe (VAMI). Open We rowser n go to the following URL. vsphere Replition vsphere Replition in Region A vsphere Replition in Region B URL Log in using the following reentils. User nme Psswor Vlue root vr_root_psswor On the VR t, lik the Configurtion t. Enter the vcenter Single Sign-On ministrtor psswor vsphere_min_psswor. 110 VMwre, In.

111 Chpter 2 Region B Certifite Replement e Clik Choose File next to Uplo PKCS#12 (*.pfx) file n lote the PKCS#12 file tht you rete. f Clik the Uplo n Instll utton n enter the ertifite psswor when prompte. After you hnge the SSL ertifite, the vsphere Replition sttus hnges to isonnete euse the new ertifite is not vlite y the vsphere Replition instne in the other site. 2 Reonnet the sites to resolve the onnetion issue. When you hnge the SSL ertifite, the vsphere Replition sttus hnges to isonnete stte euse new ertifite is not vlite y the vsphere Replition instne in other site. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue ministrtor@vsphere.lol vsphere_min_psswor On the vsphere We Client Home pge, lik vsphere Replition. Selet mgmt01v01.sfo01.rinpole.lol, lik Mnge, n selet Trget Sites. VMwre, In. 111

112 Certifite Replement e f Right-lik mgmt01v51.lx01.rinpole.lol n lik Reonnet site. In the Reonnet Sites ilog ox, lik Yes to proee. 3 Repet the steps to instll the CA-signe ertifite on the other vsphere Replition instne. Reple Certifites of the Opertions Mngement Components in Region B If the ertifite of vrelize Log Insight in Region B expires, reple it n upte it on the mngement omponents in the region to mintin seure onnetion. Reple the Certifite to vrelize Log Insight in Region B After you generte the PEM ertifite hin file tht ontins the own ertifite, the signer ertifite n the privte key file, uplo the ertifite hin to vrelize Log Insight in Region B. 1 Log in to the vrelize Log Insight user interfe. Open We rowser n go to Log in using the following reentils. User nme Psswor Vlue min vrli_min_psswor 2 In the vrelize Log Insight UI, lik the onfigurtion rop-own menu ion selet Aministrtion. n 3 Uner Configurtion, lik SSL. 4 On the SSL Configurtion pge, next to New Certifite File (PEM formt) lik Choose File, rowse to the lotion of the vrli.lx01.2.hin.pem file on your omputer, n lik Sve. Certifite Genertion Option Using the CertGenVVD tool Mnul Genertion Certifite File vrli.lx01.2.hin.pem vrli-lx01.hin.pem The ertifite is uploe to vrelize Log Insight. 112 VMwre, In.