Certificate Replacement. 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Management and Workload Consolidation 4.

Similar documents
Certificate Replacement. 26 SEP 2017 VMware Validated Design 4.1 VMware Validated Design for Management and Workload Consolidation 4.

Certificate Replacement. 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Certificate Replacement. 25 SEP 2018 VMware Validated Design 4.3 VMware Validated Design for Remote Office Branch Office 4.3

McAfee Web Gateway

Deployment of VMware NSX-T for Workload Domains. 19 MAR 2019 VMware Validated Design VMware NSX-T 2.4

Operational Verification. 26 SEP 2017 VMware Validated Design 4.1 VMware Validated Design for Software-Defined Data Center 4.1

Certificate Replacement

Troubleshooting. Verify the Cisco Prime Collaboration Provisioning Installation (for Advanced or Standard Mode), page

VMware Horizon FLEX Administration Guide

Architecture and Data Flows Reference Guide

McAfee Data Loss Prevention Prevent

Architecture and Data Flows Reference Guide

McAfee Network Security Platform

Package Contents. Wireless-G USB Network Adapter with SpeedBooster USB Cable Setup CD-ROM with User Guide (English only) Quick Installation

Enterprise Digital Signage Create a New Sign

LINX MATRIX SWITCHERS FIRMWARE UPDATE INSTRUCTIONS FIRMWARE VERSION

Rolling Back Remote Provisioning Changes. Dell Command Integration for System Center

Intelligent Operations Use Case Deployment Using vrealize Suite Lifecycle Manager

Upgrade. 13 FEB 2018 VMware Validated Design 4.2 VMware Validated Design for Software-Defined Data Center 4.2

VMware Virtual Dedicated Graphics Accelerator (vdga) and DirectPath I/O GPU Device Certification Guide ESXi 6.5 GA Release Workbench 3.5.

Operational Verification. 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Installation Guide for

vcloud Director Service Provider Admin Portal Guide vcloud Director 9.1

Scenarios. VMware Validated Design for IT Automating IT 4.0 EN

Upgrade. 17 JUL 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Scenarios. VMware Validated Design 4.0 VMware Validated Design for IT Automating IT 4.0

Scenarios. VMware Validated Design for IT Automating IT EN

Scenarios for IT Automating IT. 21 AUG 2018 VMware Validated Design 4.3 VMware Validated Design for IT Automating IT 4.3

Backup and Restore. 20 NOV 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Use Case Deployment Using vrealize Suite Lifecycle Manager. Modified on 21 DEC 2017 VMware Validated Design 4.1

VMware Horizon JMP Server Installation and Setup Guide. Modified on 06 SEP 2018 VMware Horizon 7 7.6

Zenoss Core Installation Guide

Site Protection and Recovery. VMware Validated Design 4.0 VMware Validated Design for Software-Defined Data Center 4.0

Zenoss Resource Manager Installation Guide

VMware Cloud Foundation Site Protection and Disaster Recovery Guide. VMware Cloud Foundation 3.0.1

Monitoring and Alerting

INTEGRATED WORKFLOW ART DIRECTOR

Monitoring and Alerting. VMware Validated Design 4.0 VMware Validated Design for Software-Defined Data Center 4.0

High-performance Monitoring Software. User s Manual

the machine and check the components AC Power Cord Carrier Sheet/ Plastic Card Carrier Sheet DVD-ROM

Migrating vrealize Automation to 7.3 or March 2018 vrealize Automation 7.3

Monitoring and Alerting. 19 SEP 2017 VMware Validated Design 4.1 VMware Validated Design for Software-Defined Data Center 4.1

Monitoring and Alerting. 27 MAR 2018 VMware Validated Design 4.2 VMware Validated Design for Software-Defined Data Center 4.2

Distributed Systems Principles and Paradigms. Chapter 11: Distributed File Systems

Error Numbers of the Standard Function Block

All in One Kit. Quick Start Guide CONNECTING WITH OTHER DEVICES SDE-4003/ * 27. English-1

Upgrading from vrealize Automation 7.1 or Later to June 2018 vrealize Automation 7.4

Distributed Systems Principles and Paradigms

McAfee Network Security Platform

Start Here. Quick Setup Guide. the machine and check the components DCP-9015CDW DCP-9020CDW

File Manager Quick Reference Guide. June Prepared for the Mayo Clinic Enterprise Kahua Deployment

User Manual. V1.0.1 Nov. 20, 2016

Upgrading from vrealize Automation 7.1, 7.2 to 7.3 or 7.1, 7.2, 7.3 to March 2018 vrealize Automation 7.3

IaaS Configuration for Virtual Platforms

Control Center Installation Guide

In USA: To download other guides for this product, visit the Brother Solutions Center at solutions.brother.com/manuals and select your model.

INSTALLING PRIVA GATEWAY FOR PRIVA CONNEXT

To access your mailbox from inside your organization. For assistance, call:

vrealize Suite 7.0 Backup and Restore by Using EMC Avamar vrealize Suite 7.0

Zenoss Service Impact Installation and Upgrade Guide for Resource Manager 5.x and 6.x

vcloud Director Service Provider Admin Portal Guide 04 OCT 2018 vcloud Director 9.5

Start Here. Quick Setup Guide DCP-8110DN DCP-8150DN DCP-8155DN. the machine and check the components

Zenoss Resource Manager Installation Guide

the machine and check the components Starter Ink Cartridges Basic User s Guide Product Safety Guide CD-ROM USB Interface Cable

Lab 1 - Counter. Create a project. Add files to the project. Compile design files. Run simulation. Debug results

Registering as a HPE Reseller. Quick Reference Guide for new Partners in Asia Pacific

McAfee Network Security Platform

Agilent G3314AA BioConfirm Software

Registering as an HPE Reseller

Active Fail-Open Kit Quick Start Guide

the machine and check the components Black Yellow Cyan Magenta Starter Ink Cartridges Telephone Line Cord Adapter (Hong Kong only)

Upgrading from vrealize Automation 6.2 to 7.1

NOTES. Figure 1 illustrates typical hardware component connections required when using the JCM ICB Asset Ticket Generator software application.

McAfee Network Security Platform

Internet Routing. IP Packet Format. IP Fragmentation & Reassembly. Principles of Internet Routing. Computer Networks 9/29/2014.

Start Here. Quick Setup Guide DCP-T300 DCP-T500W DCP-T700W WARNING CAUTION IMPORTANT NOTE WARNING

Upgrading from vrealize Automation to 7.3 or May 2018 vrealize Automation 7.3

License Manager Installation and Setup

the machine and check the components Introductory Ink Cartridges CD-ROM 1 Power Cord Telephone Line Cord

LINX MATRIX SWITCHERS FIRMWARE UPDATE INSTRUCTIONS FIRMWARE VERSION

Installer reference guide

Start Here MFC-7360 / MFC-7470D /

Smart Output Field Installation for M-Series and L-Series Converter

the machine and check the components Drum Unit and Toner Cartridge Assembly (pre-installed) AC Power Cord Installer CD-ROM Quick Setup Guide

the machine and check the components Introductory Ink Cartridges

the machine and check the components Starter Ink Cartridges Basic User s Guide Product Safety Guide CD-ROM* Power Cord

vcloud Director Tenant Portal Guide vcloud Director 9.0

Agilent Mass Hunter Software

SAS Event Stream Processing 5.1: Using SAS Event Stream Processing Studio

Cisco UCS Performance Manager Migration Guide

Cisco UCS Performance Manager Installation Guide

Zenoss Resource Manager Installation Guide

Installer reference guide

UTMC APPLICATION NOTE UT1553B BCRT TO INTERFACE PSEUDO-DUAL-PORT RAM ARCHITECTURE INTRODUCTION ARBITRATION DETAILS DESIGN SELECTIONS

Before you can use the machine, read this Quick Setup Guide for the correct setup and installation.

vcloud Director Tenant Portal Guide vcloud Director 9.1

Start Here. Quick Setup Guide DCP-7055 / DCP-7060D DCP-7065DN WARNING WARNING CAUTION CAUTION

Agilent MassHunter Workstation Data Acquisition for 6400 Series Triple Quadrupole LC/MS Familiarization Guide

McAfee Network Security Platform

Software Configuration Management

Transcription:

Certifite Replement 21 AUG 2018 VMwre Vlidted Design 4.3 VMwre Vlidted Design for Mngement nd Worklod Consolidtion 4.3

Certifite Replement You n find the most up-to-dte tehnil doumenttion on the VMwre wesite t: https://dos.vmwre.om/ If you hve omments out this doumenttion, sumit your feedk to dofeedk@vmwre.om VMwre, In. 3401 Hillview Ave. Plo Alto, CA 94304 www.vmwre.om Copyright 2018 VMwre, In. All rights reserved. Copyright nd trdemrk informtion. VMwre, In. 2

Contents Aout VMwre Vlidted Design Certifite Replement for Consolidted SDDC 4 1 Certifite Replement for Consolidted SDDC 6 Crete nd Add Mirosoft Certifite Authority Templte for Consolidted SDDC 7 Generte MSCA-Signed Certifites for the SDDC Mngement Components for Consolidted SDDC 8 Generte Certifite Signing Requests nd Certifites from Third-Prty CA for Consolidted SDDC 11 Reple Certifites of the Virtul Infrstruture Components for Consolidted SDDC 13 Reple the Pltform Servies Controller Certifites for Consolidted SDDC 14 Reple the vcenter Server Certifites for Consolidted SDDC 17 Reple the ESXi Host Certifites for Consolidted SDDC 23 Reple the NSX Mnger Certifites for Consolidted SDDC 27 Reple Certifites of the Opertions Mngement Components for Consolidted SDDC 30 Reple Certifite on the vrelize Suite Lifeyle Mnger Appline for Consolidted SDDC 31 Reple vrelize Opertions Mnger Certifite for Consolidted SDDC 32 Reple vrelize Log Insight Certifite for Consolidted SDDC 32 Reple Certifites of the Cloud Mngement Pltform Components for Consolidted SDDC 33 Reple the vrelize Automtion Certifite for Consolidted SDDC 34 Updte the vrelize Automtion Certifite on vrelize Orhestrtor nd vrelize Business for Consolidted SDDC 34 Updte the vrelize Automtion Certifite on vrelize Opertions Mnger for Consolidted SDDC 38 Reple the Certifite on vrelize Business for Cloud Server for Consolidted SDDC 38 VMwre, In. 3

Aout VMwre Vlidted Design Certifite Replement for Consolidted SDDC VMwre Vlidted Design Certifite Replement provides step-y-step instrutions out repling ertifites on ll mngement omponents of running Softwre-Defined Dt Center (SDDC) whose design follows this VMwre Vlidted Design for Mngement nd Worklod Consolidtion. In Consolidted SDDC, the seurity of the environment depends on the vlidity nd trust of the mngement ertifites. As est prtie, you reple mngement ertifites in the following ses: Before ertifites expire When ertifite is ompromised. When the ttriutes relted to ertifite hnge, for exmple, the host nme or orgniztion nme. The ertifite replement proess onsists of the following phses: 1 Otin ertifites for the mngement omponents tht re signed y ustom ertifite uthority (CA). Use the VMwre Vlidted Design Certifite Genertion utility to utomtilly generte the ertifites for ll omponents. Mnully generte Certifite Signing Requests (CSRs) nd request CA-signed ertifites providing the CSRs to the CA. 2 Reple the ertifites in the live SDDC environment. Intended Audiene The VMwre Vlidted Design Certifite Replement doumenttion is intended for infrstruture dministrtors who hve deployed Consolidted SDDC environment using VMwre Vlidted Design for Mngement nd Worklod Consolidtion. Required Softwre VMwre Vlidted Design Certifite Replement uses the VMwre Vlidted Design Certifite Genertion Utility (CertGenVVD) to generte ertifites tht re signed y the Mirosoft ertifite uthority (MSCA) for ll mngement produts. VMwre, In. 4

Certifite Replement VMwre Vlidted Design Certifite Replement is omplint nd vlidted with ertin produt versions. See VMwre Vlidted Design Relese Notes for more informtion out supported produt versions. VMwre, In. 5

Certifite Replement for 1 Consolidted SDDC In dul-region environment, you first reple the ertifites of the SDDC omponents in Region A. Crete nd Add Mirosoft Certifite Authority Templte for Consolidted SDDC The first step in ertifite genertion nd replement is setting up Mirosoft Certifite Authority templte on the Ative Diretory (AD) servers for the region. The templte ontins the ertifite uthority (CA) ttriutes for signing ertifites of VMwre SDDC solutions. After you rete the new templte, you dd it to the ertifite templtes of the Mirosoft CA. Generte MSCA-Signed Certifites for the SDDC Mngement Components for Consolidted SDDC Use the VMwre Vlidted Design Certifite Genertion Utility (CertGenVVD) to generte ertifites signed y the Mirosoft ertifite uthority (MSCA) for ll mngement produts with single opertion. Generte Certifite Signing Requests nd Certifites from Third-Prty CA for Consolidted SDDC Use the VMwre Vlidted Design Certifite Genertion Utility (CertGenVVD) to generte ertifite signing request (CSR) files tht you n send to third-prty ertifite uthority nd reeive CAsigned ertifites for the mngement omponents. Reple Certifites of the Virtul Infrstruture Components for Consolidted SDDC In this design, you reple user-fing ertifites with ertifites signed y Mirosoft Certifite Authority (CA). If the CA-signed ertifites of the mngement omponents expire fter you deploy the SDDC, you must reple them individully on eh ffeted omponent. Reple Certifites of the Opertions Mngement Components for Consolidted SDDC If the ertifite of vrelize Opertions Mnger or vrelize Log Insight expires, reple it nd updte it on the mngement omponents in the region to mintin seure onnetion. Reple Certifites of the Cloud Mngement Pltform Components for Consolidted SDDC After you generte signed ertifites for the Cloud Mngement Pltform, reple them nd updte them on the mngement omponents in the region to mintin seure onnetion. VMwre, In. 6

Certifite Replement Crete nd Add Mirosoft Certifite Authority Templte for Consolidted SDDC The first step in ertifite genertion nd replement is setting up Mirosoft Certifite Authority templte on the Ative Diretory (AD) servers for the region. The templte ontins the ertifite uthority (CA) ttriutes for signing ertifites of VMwre SDDC solutions. After you rete the new templte, you dd it to the ertifite templtes of the Mirosoft CA. Creting ertifite uthority templte for this VMwre Vlidted Design inludes the following opertions: 1 Set up Mirosoft Certifite Authority templte. 2 Add the new templte to the ertifite templtes of the Mirosoft CA. Prerequisites This VMwre Vlidted Design sets the Certifite Authority servie hierrhies on oth Ative Diretory (AD) servers: the min domin d01rpl.rinpole.lol (root CA) nd the sudomin d01sfo.sfo01.rinpole.lol (the intermedite CA). Verify tht you instlled Mirosoft Server 2012 R2 VM with Ative Diretory Domin Servies enled. Verify tht the Certifite Authority Servie role nd the Certifite Authority We Enrollment role re instlled nd onfigured on the Ative Diretory Server. Verify tht d01sfo.sfo01.rinpole.lol hs een set up to e the intermedite CA of the root CA d01rpl.rinpole.lol. Use hshing lgorithm of SHA-256 or higher on the ertifite uthority. 1 Log in to the following AD server y using Remote Desktop Protool (RDP) lient. Vlue FQDN If you use the intermedite CA, onnet to d01sfo.sfo01.rinpole.lol. User nme Pssword Ative Diretory dministrtor d_dmin_pssword 2 Clik Windows Strt > Run, enter erttmpl.ms, nd lik OK. 3 In the Certifite Templte Console, under Templte Disply Nme, right-lik We Server nd lik Duplite Templte. 4 In the Duplite Templte window, leve Windows Server 2003 Enterprise seleted for kwrd omptiility nd lik OK. 5 In the Properties of New Templte dilog ox, lik the Generl t. 6 In the Templte disply nme text ox, enter VMwre s the nme of the new templte. VMwre, In. 7

Certifite Replement 7 Clik the Extensions t nd speify extensions informtion. d e f Selet Applition Poliies nd lik Edit. Selet Server Authentition, lik Remove, nd lik OK. Selet Key Usge nd lik Edit. Selet the Signture is proof of origin (nonrepudition) hek ox. Leve the defult for ll other options. Clik OK. 8 Clik the Sujet Nme t, ensure tht the Supply in the request option is seleted, nd lik OK to sve the templte. 9 To dd the new templte to your CA, lik Windows Strt > Run, enter ertsrv.ms, nd lik OK. 10 In the Certifition Authority window, expnd the left pne if it is ollpsed. 11 Right-lik Certifite Templtes nd selet New > Certifite Templte to Issue. 12 In the Nme olumn of the Enle Certifite Templtes dilog ox, selet the VMwre ertifite tht you reted nd lik OK. Generte MSCA-Signed Certifites for the SDDC Mngement Components for Consolidted SDDC Use the VMwre Vlidted Design Certifite Genertion Utility (CertGenVVD) to generte ertifites signed y the Mirosoft ertifite uthority (MSCA) for ll mngement produts with single opertion. For informtion out the VMwre Vlidted Design Certifite Genertion Utility, see VMwre Knowledge Bse rtile 2146215 nd VMwre Vlidted Design Plnning nd Preprtion. Prerequisites Provide Window Server 2012 host tht is prt of the sfo01.rinpole.lol domin. Instll n intermedite Certifite Authority server on the sfo01.rinpole.lol domin. 1 Log in to Windows host tht hs ess to your dt enter. 2 Downlod the CertGenVVD-version.zip file of the Certifite Genertion Utility from VMwre Knowledge Bse rtile 2146215 on the Windows host where you onnet to the dt enter nd extrt the ZIP file to the C: drive. 3 In the C:\CertGenVVD-version folder, open the defult.txt file in text editor. 4 A step under sfo01w01v01. VMwre, In. 8

Certifite Replement 5 Verify tht the following properties re onfigured. ORG=Rinpole In. OU=Rinpole.lol LOC=SFO ST=CA CC=US CN=VMwre_VVD keysize=2048 6 Verify tht the C:\CertGenVVD-version\ConfigFiles folder ontins only the following files. Tle 1 1. Certifite Genertion Files for Consolidted SDDC SDDC Lyer Host Nme or Servie in Consolidted SDDC Configurtion Files Virtul Infrstruture Pltform Servies Controller sfo01w01ps01.sfo01.ri npole.lol sfo01w01ps01.txt vcenter Server ESXi Hosts NSX Mnger sfo01w01v01.sfo01.rin pole.lol sfo01w01esx01.sfo01.ri npole.lol sfo01w01esx02.sfo01.ri npole.lol sfo01w01esx03.sfo01.ri npole.lol sfo01w01esx04.sfo01.ri npole.lol sfo01w01nsx01.sfo01.ri npole.lol sfo01w01v01.txt sfo01w01esx01.txt sfo01w01esx02.txt sfo01w01esx03.txt sfo01w01esx04.txt sfo01w01nsx01.txt Cloud Mngement Pltform vrelize Automtion vr01svr01.rinpole.l ol vr01svr01.rinpole. lol vr01iws01.rinpole.l ol vr01iws01.rinpole. lol vr01ims01.rinpole.l ol vr01ims01.rinpole.lol vr-for-1-pod.txt vrelize Business Server vr01svr01.rinpole.lol vr.txt Opertions Mngement vrelize LifeCyle Mnger vrslm01svr01.rinpole.l ol vrslm01svr01.txt VMwre, In. 9

Certifite Replement Tle 1 1. Certifite Genertion Files for Consolidted SDDC (Continued) SDDC Lyer Host Nme or Servie in Consolidted SDDC Configurtion Files vrelize Opertions Mnger vrops01svr01.rinpol e.lol vrops01svr01.rinpo le.lol vrelize Log Insight sfo01vrli01.sfo01.rin pole.lol sfo01vrli01.sfo01.ri npole.lol vrops-for-1-pod.txt vrli-for-1-pod.txt 7 Verify tht eh onfigurtion file inludes FQDNs nd host nmes in the dedited setions. For exmple, the onfigurtion file for the Pltform Servie Controller instne must ontin the following properties: sfo01w01ps01.txt [CERT] NAME=defult ORG=defult OU=defult LOC=SFO ST=defult CC=defult CN=sfo01w01ps01.sfo01.rinpole.lol keysize=defult [SAN] sfo01w01ps01.sfo01.rinpole.lol 8 Open Windows PowerShell prompt nd nvigte to the CertGenVVD folder. d C:\CertGenVVD-version 9 Grnt permissions to run third-prty PowerShell sripts. Set-ExeutionPoliy Unrestrited 10 Vlidte if you n run the utility using the onfigurtion on the host nd verify if VMwre is inluded in the printed CA templte poliy..\certgenvvd-version.ps1 -vlidte 11 Generte MSCA-signed ertifites..\certgenvvd-version.ps1 -MSCASigned -ttri 'CertifiteTemplte:VMwre' -inter 12 In the C:\CertGenVVD-version folder, verify tht the utility reted the SignedByMSCACerts sufolder. VMwre, In. 10

Certifite Replement 13 In C:\CertGenVVD-version\SignedByMSCACerts\Root64 sufolder, renme hinroot64.er to Root64.er. Wht to do next Reple the produt ertifites with the ertifites tht the CertGenVVD utility hs generted. See Reple Certifites of the Virtul Infrstruture Components for Consolidted SDDC, Reple Certifites of the Opertions Mngement Components for Consolidted SDDC, nd Reple Certifites of the Cloud Mngement Pltform Components for Consolidted SDDC. Generte Certifite Signing Requests nd Certifites from Third-Prty CA for Consolidted SDDC Use the VMwre Vlidted Design Certifite Genertion Utility (CertGenVVD) to generte ertifite signing request (CSR) files tht you n send to third-prty ertifite uthority nd reeive CA-signed ertifites for the mngement omponents. Prerequisites Provide Windows Server 2012 host tht hs ess to your dt enter. 1 Log in to Windows host tht hs ess to your dt enter. 2 Downlod the CertGenVVD-version.zip file of the Certifite Genertion Utility from VMwre Knowledge Bse rtile 2146215 on the Windows host where you onnet to the dt enter nd extrt the ZIP file to the C: drive. 3 In the C:\CertGenVVD-version folder, open the defult.txt file in text editor. 4 Verify tht following properties re onfigured. ORG=Rinpole In. OU=Rinpole.lol LOC=SFO ST=CA CC=US CN=VMwre_VVD keysize=2048 5 Verify tht only the C:\CertGenVVD-version\ConfigFiles folder ontins only following files. Tle 1 2. Certifite Genertion Files for Consolidted SDDC Host Nme or Servie in Consolidted SDDC Configurtion Files Pltform Servies Controller sfo01w01ps01.sfo01.rinpole.lol sfo01w01ps01.txt vcenter Server sfo01w01v01.sfo01.rinpole.lol sfo01w01v01.txt ESXi Hosts sfo01w01esx01.sfo01.rinpole.lol sfo01w01esx01.txt sfo01w01esx02.sfo01.rinpole.lol sfo01w01esx02.txt VMwre, In. 11

Certifite Replement Tle 1 2. Certifite Genertion Files for Consolidted SDDC (Continued) Host Nme or Servie in Consolidted SDDC sfo01w01esx03.sfo01.rinpole.lol sfo01w01esx04.sfo01.rinpole.lol Configurtion Files sfo01w01esx03.txt sfo01w01esx04.txt NSX Mnger sfo01w01nsx01.sfo01.rinpole.lol sfo01w01nsx01.txt vsphere Dt Protetion sfo01w01vdp01.sfo01.rinpole.lol sfo01w01vdp01.txt vrelize Automtion vr01svr01.rinpole.lol vr01svr01.rinpole.lol vr01iws01.rinpole.lol vr01iws01.rinpole.lol vr01ims01.rinpole.lol vr01ims01.rinpole.lol vr-for-1-pod.txt vrelize Business Server vr01svr01.rinpole.lol vr.txt vrelize Opertions Mnger vrops01svr01.rinpole.lol vrops01svr01.rinpole.lol vrelize Log Insight sfo01vrli01.sfo01.rinpole.lol sfo01vrli01.sfo01.rinpole.lol vrops-for-1-pod.txt vrli-for-1-pod.txt 6 Verify tht eh onfigurtion file inludes FQDN nd host nmes in the dedited setions. For exmple, the onfigurtions files for the Pltform Servie Controller instnes must ontin the following properties: sfo01w01ps01.txt [CERT] NAME=defult ORG=defult OU=defult LOC=SFO ST=defult CC=defult CN=sfo01w01ps01.sfo01.rinpole.lol keysize=defult [SAN] sfo01w01ps01.sfo01.rinpole.lol 7 Open Windows PowerShell prompt nd nvigte to the folder of the CertGenVVD utility. d C:\CertGenVVD-version 8 Grnt permissions to run third-prty PowerShell sripts. Set-ExeutionPoliy Unrestrited VMwre, In. 12

Certifite Replement 9 Vlidte if you n run the utility using the onfigurtion on the host nd verify if VMwre is inluded in the printed CA templte poliy..\certgenvvd-version.ps1 -vlidte 10 Generte ertifite request files for the mngement omponents in the SDDC..\CertGenVVD-version.ps1 -CSR 11 Lote the CSR files in the C:\CertGenVVD-version\CSRCerts folder nd send it to the third-prty CA to request the signed ertifites. 12 After you otin ll the signed ertifite files nd the root CA ertifite, move the signed ertifite files k to eh diretory where the CSR files reside. 13 In ommnd prompt, nvigte to the folder tht ontins the CA root ertifite nd renme it to Root64.er. 14 If the ertifites re signed y multiple intermedite CAs, ontente the ertifites in one ertifite hin file y running the following ommnd. opy IntermediteCAroot01.er+IntermediteCAroot02.er+RootCA.er > Root64.er 15 Move the Root64.er to the C:\CertGenVVD-version\CSRCerts\Root64 folder. 16 Run CertGenVVD tool with the -CSR nd -extr ommnd options to generte ll ertifites tht re required for the SDDC mngement omponents..\certgenvvd-version.ps1 CSR -extr Wht to do next Reple the produt ertifites with the ertifites tht the CertGenVVD utility hs generted. See Reple Certifites of the Virtul Infrstruture Components for Consolidted SDDC, Reple Certifites of the Opertions Mngement Components for Consolidted SDDC, nd Reple Certifites of the Cloud Mngement Pltform Components for Consolidted SDDC. Reple Certifites of the Virtul Infrstruture Components for Consolidted SDDC In this design, you reple user-fing ertifites with ertifites signed y Mirosoft Certifite Authority (CA). If the CA-signed ertifites of the mngement omponents expire fter you deploy the SDDC, you must reple them individully on eh ffeted omponent. By defult, virtul infrstruture mngement omponents use TLS/SSL ertifites tht re signed y the VMwre Certifite Authority (VMCA). VMwre, In. 13

Certifite Replement Infrstruture dministrtors onnet to different SDDC omponents, suh s vcenter Server systems or Pltform Servies Controller, from We rowser to perform onfigurtion, mngement, nd trouleshooting. The uthentiity of the network node to whih the dministrtor onnets must e onfirmed with vlid TLS/SSL ertifite. You n use other ertifite uthorities ording to the requirements of your orgniztion. You do not reple ertifites for mhine-to-mhine ommunition. If neessry, you n mnully mrk these ertifites s trusted. 1 Reple the Pltform Servies Controller Certifites for Consolidted SDDC 2 Reple the vcenter Server Certifites for Consolidted SDDC Reple the ertifite on eh vcenter Server instne for Consolidted SDDC nd reonnet it to the other mngement omponents to updte the new ertifite on these omponents. 3 Reple the ESXi Host Certifites for Consolidted SDDC Reple the defult or expired ertifites on the ESXi hosts with ertifites tht re generted y using the CertGenVVD utility. 4 Reple the NSX Mnger Certifites for Consolidted SDDC Reple the ertifite on n NSX Mnger instne, for exmple, if it is out to expire, nd updte it on the mngement omponents onneted to this instne. Reple the Pltform Servies Controller Certifites for Consolidted SDDC Reple the ertifite of the Pltform Servies Controller instne. Reonnet the Pltform Servies Controller instne to the vcenter Server nd NSX Mnger instnes to updte the ertifites for vcenter Single Sign-on on these omponents. 1 Reple the Pltform Servies Controller Certifites for Consolidted SDDC To estlish trusted onnetion with the other SDDC mngement omponents, you reple the defult or expiring mhine SSL ertifite on eh Pltform Servies Controller instne in the region with ustom ertifite. The ertifite, generted y the CertGenVVD utility, is signed y the ertifite uthority (CA) ville on the prent Ative Diretory (AD) server or on the intermedite Ative Diretory (AD) server. 2 Updte the Pltform Servies Controller Certifites on the Mngement Components for Consolidted SDDC After you reple the ertifite on а Pltform Servies Controller instne, updte the ertifite on the vcenter Server nd NSX Mnger instnes in the region. Wht to do next If you reple the ertifites of vcenter Server fter those of the Pltform Servies Controllers, see Reple the Certifite of vcenter Server for Consolidted SDDC. VMwre, In. 14

Certifite Replement Reple the Pltform Servies Controller Certifites for Consolidted SDDC To estlish trusted onnetion with the other SDDC mngement omponents, you reple the defult or expiring mhine SSL ertifite on eh Pltform Servies Controller instne in the region with ustom ertifite. The ertifite, generted y the CertGenVVD utility, is signed y the ertifite uthority (CA) ville on the prent Ative Diretory (AD) server or on the intermedite Ative Diretory (AD) server. Tle 1 3. Certifite-Relted Files on Pltform Servies Controller Instne Pltform Servies Controller Certifite Filenme sfo01w01ps01.sfo01.rinpole.lol sfo01w01ps01.1.er sfo01w01ps01.key Root64.er 1 Open Seure SHell onnetion to the Pltform Servies Controller virtul mhine. Open n SSH onnetion to sfo01w01ps01.sfo01.rinpole.lol. Log in using the following redentils. User nme Pssword Vlue root ps_root_pssword 2 To llow seure opy (sp) onnetions for the root user, hnge the Pltform Servies Controller ommnd shell to the Bsh shell. shell hsh -s "/in/sh" root 3 Copy the generted ertifites to the Pltform Servies Controller. To rete new temporry folder, run the following ommnd. mkdir -p /root/erts Copy the ertifite files sfo01w01ps01.1.er, sfo01w01ps01.key, nd Root64.er to the /root/erts folder. You n use n sp softwre like WinSCP. VMwre, In. 15

Certifite Replement 4 Reple the ertifite on the Pltform Servies Controller. Strt the vsphere Certifite Mnger utility on the Pltform Servies Controller. /usr/li/vmwre-vm/in/ertifite-mnger d e f g Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite). Enter the defult vcenter Single Sign-On user nme dministrtor@vsphere.lol nd the vsphere_dmin pssword. Selet Option 2 (Import ustom ertifite(s) nd key(s) to reple existing Mhine SSL ertifite). When prompted for the ustom ertifite, enter /root/erts/sfo01w01ps01.1.er. When prompted for the ustom key, enter /root/erts/sfo01w01ps01.key. When prompted for the signing ertifite, enter /root/erts/root64.er. h When prompted to Continue opertion, enter Y. The Pltform Servies Controller servies utomtilly restrt. 5 Verify tht the new ertifite hs een instlled suessfully. Open We Browser nd go to https://sfo01w01ps01.sfo01.rinpole.lol. Verify tht the We rowser shows the new ertifite. 6 After Certifite Mnger reples the ertifites, restrt the vmi-lighttp servie to updte the ertifite in the virtul pplition mngement interfe (VAMI) nd to remove ertifite files from Pltform Servies Controller. servie vmi-lighttp restrt d /root/erts rm sfo01w01ps01.1.er sfo01w01ps01.key Root64.er 7 Swith the shell k to the ppline shell. hsh -s /in/pplinesh root Updte the Pltform Servies Controller Certifites on the Mngement Components for Consolidted SDDC After you reple the ertifite on а Pltform Servies Controller instne, updte the ertifite on the vcenter Server nd NSX Mnger instnes in the region. VMwre, In. 16

Certifite Replement 1 Log in to vcenter Server y using Seure Shell (SSH) lient. Open n SSH onnetion to the sfo01w01v01.sfo01.rinpole.lol virtul mhine. Log in using the following redentils. User nme Pssword Vlue root venter_server_root_pssword 2 Restrt the servies of vcenter Server. Swith from the vcenter Server Appline ommnd shell to the Bsh shell. shell Restrt vcenter Server servies y using the following ommnd. servie-ontrol --stop --ll servie-ontrol --strt --ll 3 Reonnet NSX Mnger to Pltform Servies Controller nd vcenter Server fter you instll the ustom ertifites on the nodes. See Connet NSX Mnger to vcenter Server for Consolidted SDDC. Reple the vcenter Server Certifites for Consolidted SDDC Reple the ertifite on eh vcenter Server instne for Consolidted SDDC nd reonnet it to the other mngement omponents to updte the new ertifite on these omponents. 1 Reple the Certifite of vcenter Server for Consolidted SDDC To estlish trusted onnetion with the other SDDC omponents, you reple the mhine SSL ertifite on eh vcenter Server instne in the region with ustom ertifite. The ertifite, generted y the CertGenVVD utility, is signed y the ertifite uthority (CA) ville on the prent Ative Diretory (AD) server or on the intermedite Ative Diretory (AD) server. 2 Connet NSX Mnger to vcenter Server for Consolidted SDDC 3 Updte the Certifite of vcenter Server on the Cloud Mngement Pltform for Consolidted SDDC After you reple the ertifite on the vcenter Server instne for Consolidted SDDC, reonnet vrelize Orhestrtor, vrelize Business, nd vrelize Automtion to vcenter Server to updte the vcenter Server ertifite on the Cloud Mngement Pltform. VMwre, In. 17

Certifite Replement 4 Updte the vcenter Server Certifites on vrelize Opertions Mngerfor Consolidted SDDC After you hnge the ertifite of vcenter Server instne for Consolidted SDDC, updte the ertifites on the onneted vrelize Opertions Mnger node y reonneting the vcenter Adpter nd vsan Adpter instnes. Reple the Certifite of vcenter Server for Consolidted SDDC To estlish trusted onnetion with the other SDDC omponents, you reple the mhine SSL ertifite on eh vcenter Server instne in the region with ustom ertifite. The ertifite, generted y the CertGenVVD utility, is signed y the ertifite uthority (CA) ville on the prent Ative Diretory (AD) server or on the intermedite Ative Diretory (AD) server. Tle 1 4. Certifite-Relted Files on the vcenter Server Instne vcenter Server FQDN Files for Certifite Replement sfo01w01v01.sfo01.rinpole.lol sfo01w01v01.key sfo01w01v01.1.er Root64.er 1 Log in to vcenter Server y using Seure Shell (SSH) lient. Open n SSH onnetion to the sfo01w01v01.sfo01.rinpole.lol virtul mhine. Log in using the following redentils. User nme Pssword Vlue root venter_server_root_pssword 2 To llow seure opy (sp) onnetions for the root user, hnge the vcenter Server Appline ommnd shell to the Bsh shell. shell hsh -s "/in/sh" root 3 Copy the generted ertifites to the vcenter Server Appline. Run the following ommnd to rete new temporry folder. mkdir -p /root/erts Copy the ertifite files sfo01w01v01.1.er, sfo01w01v01.key, nd Root64.er to the /root/erts folder. You n use n sp softwre suh s WinSCP. VMwre, In. 18

Certifite Replement 4 Reple the CA-signed ertifite on the vcenter Server instne. Strt the vsphere Certifite Mnger utility on the vcenter Server instne. /usr/li/vmwre-vm/in/ertifite-mnger Selet Option 1 (Reple Mhine SSL ertifite with Custom Certifite), enter the defult vcenter Single Sign-On user nme dministrtor@vsphere.lol nd the vsphere_dmin_pssword pssword. When prompted for the Infrstruture Server IP, enter the IP ddress of the Pltform Servies Controller tht mnges this vcenter Server instne. vcenter Server instne IP Address of mnging Pltform Servies Controller sfo01w01v01.sfo01.rinpole.lol 172.16.11.63 d e Selet Option 2 (Import ustom ertifite(s) nd key(s) to reple existing Mhine SSL ertifite). When prompted, provide the full pth to the ustom ertifite, the root ertifite file, nd the key file tht you opied over erlier, nd onfirm the import with Yes (Y). vcenter Server sfo01w01v01.sfo01.rinpole.lol Input to the vsphere Certifite Mnger Utility Plese provide vlid ustom ertifite for Mhine SSL. File : /root/erts/sfo01w01v01.1.er Plese provide vlid ustom key for Mhine SSL. File : /root/erts/sfo01w01v01.key Plese provide the signing ertifite of the Mhine SSL ertifite. File : /root/erts/root64.er 5 When sttus shows 100% Completed, wit severl minutes until ll vcenter Server servies re restrted. 6 Open the vsphere We Client to verify tht ertifite replement is suessful. Open We rowser nd go to https://sfo01w01v01.sfo01.rinpole.lol/vsphere-lient. Verify tht you see the new ertifite. 7 Restrt the vmi-lighttp servie to updte the ertifite on the virtul ppline mngement interfe (VAMI) nd to remove ertifite files. servie vmi-lighttp restrt d /root/erts/ rm sfo01w01v01.1.er sfo01w01v01.key Root64.er VMwre, In. 19

Certifite Replement Connet NSX Mnger to vcenter Server for Consolidted SDDC After you reple the ertifites of the Pltform Servies Controller nd vcenter Server instnes for Consolidted SDDC, you reonnet the NSX Mnger instnes to the Pltform Servies Controller nd vcenter Server nodes in the region to updte the ertifites on NSX Mnger. 1 Log in to the NSX Mnger ppline user interfe. Open We rowser nd go to https://sfo01w01nsx01.sfo01.rinpole.lol. Log in using the following redentils. User nme Pssword Vlue dmin nsx_mnger_dmin_pssword 2 Clik Mnge vcenter Registrtion. 3 Under Lookup Servie URL, lik Edit. 4 In the Lookup Servie URL dilog ox, enter the following settings nd lik OK. Lookup Servie Host Vlue sfo01w01ps01.sfo01.rinpole.lol Lookup Servie Port 443 SSO Administrtor User Nme Pssword dministrtor@vsphere.lol vsphere_dmin_pssword 5 In the Trust Certifite? dilog ox, lik Yes. 6 Under vcenter Server, lik Edit. 7 In the vcenter Server dilog ox, enter the following settings, nd lik OK. vcenter Server vcenter User Nme Pssword Vlue sfo01w01v01.sfo01.rinpole.lol sv-nsxmnger@rinpole.lol sv-nsxmnger_pssword 8 In the Trust Certifite? dilog ox, lik Yes. 9 Wit for the Sttus inditors for the Lookup Servie URL nd vcenter Server to hnge to the Conneted sttus. VMwre, In. 20

Certifite Replement Updte the Certifite of vcenter Server on the Cloud Mngement Pltform for Consolidted SDDC After you reple the ertifite on the vcenter Server instne for Consolidted SDDC, reonnet vrelize Orhestrtor, vrelize Business, nd vrelize Automtion to vcenter Server to updte the vcenter Server ertifite on the Cloud Mngement Pltform. 1 Reonnet vrelize Orhestrtor to vcenter Server. Open We Browser nd go to https://vr01svr01.rinpole.lol/vo. Clik Strt Orhestrtor Client. On the VMwre vrelize Orhestrtor login pge, log in to the emedded vrelize Orhestrtor y using the following host nme nd redentils. Host nme User nme Pssword Vlue https://vr01svr01.rinpole.lol:443 sv-vr sv-vr-pssword d e f g h i j In the left pne, lik Workflows, nd nvigte to Lirry > vcenter > Configurtion. Right-lik the Updte vcenter Server instne workflow nd lik Strt Workflow. From the vcenter Server instne drop-down menu, selet https://sfo01w01v01.sfo01.rinpole.lol:443/sdk nd lik Next. On Strt Workflow: Updte vcenter Server instne t, lik Next. Enter the pssword for the sv-vro@rinpole.lol user ount nd lik Sumit. On the ertifite wrning windows lik, Next. Selet Yes to import the ertifite nd lik Sumit. 2 Reonnet vrelize Business to vcenter Server. Open We rowser nd go to https://sfo01vr01.sfo01.rinpole.lol:9443/d-ui:9443/d-ui. Log in using the following redentils. User nme Pssword Vlue root vr_root_pssword Clik Mnge Privte Cloud Connetions, selet vcenter Server, selet the sfo01w01v01.sfo01.rinpole.lol entry, nd lik the Edit ion. VMwre, In. 21

Certifite Replement d e f In the Edit vcenter Server Connetion dilog ox, enter the pssword for the svvr@rinpole.lol user nd lik Sve. In the SSL Certifite wrning dilog ox, lik Instll. In the Suess dilog ox, lik OK. 3 Rerete the vsphere endpoint in vrelize Automtion. Open We rowser nd go to https://vr01svr01.rinpole.lol/v/org/rinpole. Log in using the following redentils. User nme Pssword Domin Vlue vr-dmin-rinpole vr-dmin-rinpole_pssword rinpole.lol d e Nvigte to Infrstruture > Endpoints > Endpoints. Point to sfo01w01v01.sfo01.rinpole.lol nd lik Edit from the menu. On the Edit Endopint - vsphere (vcenter) pge, lik OK. f In the ertifite wrning dilog ox, lik OK to ept the new ertifite. Updte the vcenter Server Certifites on vrelize Opertions Mnger for Consolidted SDDC After you hnge the ertifite of vcenter Server instne for Consolidted SDDC, updte the ertifites on the onneted vrelize Opertions Mnger node y reonneting the vcenter Adpter nd vsan Adpter instnes. 1 Log in to vrelize Opertions Mnger y using the opertions interfe. Open We rowser nd go to https://vrops01svr01.rinpole.lol. Log in using the following redentils. User nme Pssword Vlue dmin vrops_dmin_pssword 2 On the min nvigtion r, lik Administrtion. 3 In the left pne of vrelize Opertions Mnger, under Mngement, lik Certifites. 4 Selet the row tht ontins CN=sfo01w01v01.sfo01.rinpole.lol nd lik the Delete ion. 5 In the left pne of vrelize Opertions Mnger, lik Solutions. VMwre, In. 22

Certifite Replement 6 Reonnet eh vcenter Adpter. Selet the VMwre vsphere solution nd lik Configure. In the Mnge Solutions dilog ox, selet vcenter Adpter - sfo01w01v01, lik Test Connetion, ept the new ertifite of vcenter Server, nd lik Sve s. 7 Reonnet the VMwre vsan dpter for the mngement luster. Selet the VMwre vsan solution nd lik Configure. In the Mnge Solutions dilog ox, selet vsan Adpter - sfo01w01v01, lik Test Connetion, ept the new ertifite of the Mngement vcenter Server, nd lik Sve s. 8 Reonnet the Mngement Pk for Storge dpter for the mngement luster. Selet the Mngement Pk for Storge Devies solution nd lik Configure. In the Mnge Solutions dilog ox, selet Storge Devies Adpter - sfo01w01v01, lik Test Connetion, ept the new ertifite of vcenter Server, nd lik Sve s. Reple the ESXi Host Certifites for Consolidted SDDC Reple the defult or expired ertifites on the ESXi hosts with ertifites tht re generted y using the CertGenVVD utility. In eh luster, you onfigure the ertifite mode for hosts to support ustom ertifite uthorities (CAs) nd reple the old ertifites with ertifites tht re signed y ustom CA. 1 Set Host Certifite Mode on vcenter Server to Support Custom Certifite Authority for Consolidted SDDC By defult the ESXi hosts re utomtilly provisioned with VMwre Certifite Authority (VMCA) ertifites when they re onneted to vcenter Server. You set the host ertifite mode on vcenter Server to support ustom ertifite uthority to prevent the vcenter Server from repling ertifites on to the ESXi hosts. 2 Reple the Defult Certifites with Custom Certifites on the ESXi Hosts for Consolidted SDDC After you otin signed ertifites for the ESXi hosts in the region nd onfigure vcenter Server to ept ustom ertifite uthorities, reple the defult VMwre Certifite Authority (VMCA) signed ertifites with the ustom ones on the hosts. Set Host Certifite Mode on vcenter Server to Support Custom Certifite Authority for Consolidted SDDC By defult the ESXi hosts re utomtilly provisioned with VMwre Certifite Authority (VMCA) ertifites when they re onneted to vcenter Server. You set the host ertifite mode on vcenter Server to support ustom ertifite uthority to prevent the vcenter Server from repling ertifites on to the ESXi hosts. VMwre, In. 23

Certifite Replement vcenter Server sfo01w01v01.sfo01.rinpole.lol ESXi Host sfo01w01esx01.sfo01.rinpole.lol sfo01w01esx02.sfo01.rinpole.lol sfo01w01esx03.sfo01.rinpole.lol sfo01w01esx04.sfo01.rinpole.lol 1 Log in to vcenter Server y using the vsphere We Client. Open We rowser nd go to https://sfo01w01v01.sfo01.rinpole.lol/vsphere-lient. Log in using the following redentils. User nme Pssword Vlue dministrtor@vsphere.lol vsphere_dmin_pssword 2 Verify tht ll CA ertifites from vcenter Server re updted on ll hosts. In the Nvigtor, under Hosts nd Cluster, selet sfo01w01esx01.sfo01.rinpole.lol, nd lik the Configure t. Under System, selet Certifite nd lik Refresh CA Certifites. Repet the steps for the ESXi hosts tht re ontrolled y the vcenter Server sfo01w01v01.sfo01.rinpole.lol. 3 Chnge the ertifite mode for the ESXi hosts in the onsolidted luster to ustom. d In the Nvigtor, under Hosts nd Cluster, selet sfo01w01v01.sfo01.rinpole.lol, nd lik the Configure t. Under s, lik Advned s nd lik Edit. In the filter ox, enter ertmgmt nd press Enter to view only ertifite mngement properties. Chnge the vlue of the vpxd.ertmgmt.mode property to ustom nd lik OK. 4 Restrt the vcenter Server Appline to pply the hnges. Open We rowser nd go to https://sfo01w01v01.sfo01.rinpole.lol:5480 Log in using the following redentils. s User nme Pssword Vlues root venter_server_root_pssword Clik Reoot to restrt the vcenter Server Appline. VMwre, In. 24

Certifite Replement Reple the Defult Certifites with Custom Certifites on the ESXi Hosts for Consolidted SDDC After you otin signed ertifites for the ESXi hosts in the region nd onfigure vcenter Server to ept ustom ertifite uthorities, reple the defult VMwre Certifite Authority (VMCA) signed ertifites with the ustom ones on the hosts. You reple the ertifite seprtely on eh host in the mngement luster. Tle 1 5. Certifite Files Nmes for the Hosts in the Consolidted SDDC ESXi Hosts Certifite Filenmes sfo01w01esx01.sfo01.rinpole.lol sfo01w01esx01.key sfo01w01esx01.1.er sfo01w01esx02.sfo01.rinpole.lol sfo01w01esx02.key sfo01w01esx02.1.er sfo01w01esx03.sfo01.rinpole.lol sfo01w01esx03.key sfo01w01esx03.1.er sfo01w01esx04.sfo01.rinpole.lol sfo01w01esx04.key sfo01w01esx04.1.er 1 Log in to vcenter Server y using the vsphere We Client. Open We rowser nd go to https://sfo01w01v01.sfo01.rinpole.lol/vsphere-lient. Log in using the following redentils. User nme Pssword Vlue dministrtor@vsphere.lol vsphere_dmin_pssword 2 Disle lokdown mode on the sfo01w01esx01.sfo01.rinpole.lol host. d e f g h From the Home menu of the vsphere We Client, selet Hosts nd Clusters. Under the sfo01-w01d dt enter, selet the sfo01w01esx01.sfo01.rinpole.lol host ojet nd lik the Configure t on the right. Under System, lik Seurity Profile, sroll down to Lokdown Mode, nd lik Edit. In the Lokdown Mode dilog ox, selet Disled nd lik OK. Sroll up to the Servies pne nd lik Edit. In Edit Seurity Profile dilog ox, selet SSH. Clik the Strt utton if the sttus is not showing up s Running Clik OK to lose the Edit Seurity Profile dilog ox. VMwre, In. 25

Certifite Replement 3 Ple the host in mintenne mode. Under the sfo01-w01d dt enter, right-lik the sfo01w01esx01.sfo01.rinpole.lol host ojet nd selet Mintenne Mode > Enter Mintenne Mode. In the Confirm Mintenne Mode dilog ox, selet Move powered-off nd suspended virtul mhines to other hosts in the luster nd lik OK. 4 Reple the ertifite files on the host. After the mintenne tsk is omplete, open n SSH onnetion to the sfo01w01esx01.sfo01.rinpole.lol host using the following redentils. Option User nme Pssword Desription root esxi_root_user_pssword Copy the sfo01w01esx01.key nd sfo01w01esx01.1.er files from the Windows host where you run the CertGenVVD tool to the /et/vmwre/ssl diretory on the host. Run the following ommnds to k up the present ertifite nd key files nd to reple them with the generted files. d /et/vmwre/ssl t rui.rt >> rui.k t rui.key >> rui.k mv sfo01w01esx01.key rui.key mv sfo01w01esx01.1.er rui.rt 5 Restrt the mngement gents on the host. d e f g Run the dui ommnd to open the Diret Console User Interfe (DCUI). Press the F12 key to ess the System Customiztion menu. Selet Trouleshooting Options nd press Enter. Selet Restrt Mngement Agents nd press Enter. Press F11 key to onfirm the restrt nd press Enter to onfirm ompletion. Press Control+C to lose DCUI pplition. Run the following ommnds to restrt the vsnvpd nd vsnmgmtd servies /et/init.d/vsnvpd restrt /et/init.d/vsnmgmtd restrt 6 Verify tht the ustom ertifite is instlled. Open We rowser nd go to https://sfo01w01esx01.sfo01.rinpole.lol. Verify tht the ertifite returned y the host is signed y Rinpole insted of y VMwre. VMwre, In. 26

Certifite Replement 7 Exit mintenne mode of the host. Open We rowser nd go to https://sfo01w01v01.sfo01.rinpole.lol/vsphere-lient. Log in using the following redentils. User nme Pssword Vlue dministrtor@vsphere.lol vsphere_dmin_pssword d e From the Home menu, selet Hosts nd Clusters. Under the sfo01-w01d dt enter, right-lik the sfo01w01esx01.sfo01.rinpole.lol host ojet nd selet Mintenne Mode > Exit Mintenne Mode. Mke sure tht no wrning messge out n untrusted sfo01w01esx01.sfo01.rinpole.loll ertifite ppers. 8 Reonnet the ESXi host to vcenter Server to refresh the host ertifite on vcenter Server. Under the sfo01-w01d dt enter, right-lik the sfo01w01esx01.sfo01.rinpole.lol host ojet nd selet Connetion > Disonnet. Clik Yes in the Confirm Disonnet pop-up window. Wit until the host is disonneted. d Right-lik the sfo01w01esx01.sfo01.rinpole.lol host ojet nd selet Connetion > Connet. e On the Configure t, under System, selet Certifites nd verify tht the ertifite displyed for the host is the new one. 9 Verify tht the storge providers re online for the ESXi host. d Selet the sfo01w01v01.sfo01.rinpole.lol vcenter Server ojet nd lik the Configure t. Under More, selet Storge Providers. Verify tht the sttus for the http://sfo01w01esx01.sfo01.rinpole.lol: 8080/version.xml URL of the vsan storge provider is Online. If the sttus of the URL is different from Online, selet the URL, lik the Unregister the seleted storge provider ion, nd lik Synhronizes ll the storge providers with the urrent sttes of the environment ion. 10 Repet the proedure for the rest of the ESXi hosts in the region. Reple the NSX Mnger Certifites for Consolidted SDDC Reple the ertifite on n NSX Mnger instne, for exmple, if it is out to expire, nd updte it on the mngement omponents onneted to this instne. VMwre, In. 27

Certifite Replement 1 Reple the Certifite of NSX Mnger for Consolidted SDDC 2 Connet NSX Mnger to vcenter Server for Consolidted SDDC 3 Reonnet NSX Mnger for Consolidted SDDC to vrelize Opertions Mnger After you reple the ertifite on eh NSX Mnger instne in the region, reonnet the NSX dpter in vrelize Opertions Mnger to updte the ertifite on vrelize Opertions Mnger. Reple the Certifite of NSX Mnger for Consolidted SDDC After you reple the ertifites of ll Pltform Servies Controller instnes nd ll vcenter Server instnes, reple the expiring ertifites for the NSX Mnger instnes. Use the following ertifite file to reple the ertifite on the NSX Mnger instne: Tle 1 6. Certifite-Relted Files on the NSX Mnger Instne for Consolidted SDDC NSX Mnger FQDN sfo01w01nsx01.sfo01.rinpole.lol Certifite Filenme sfo01w01nsx01.sfo01.4.p12 1 Log in to the NSX Mnger ppline user interfe. Open We rowser nd go to https://sfo01w01nsx01.sfo01.rinpole.lol. Log in using the following redentils. User nme Pssword Vlue dmin nsx_mnger_dmin_pssword 2 On the Home pge, selet Mnge Appline s. 3 On the Mnge t, lik SSL Certifites, lik Uplod PKCS#12 Keystore. 4 Browse to the ertifite hin file sfo01w01nsx01.4.p12, provide the keystore pssword or pssphrse, nd lik Import. 5 Restrt the NSX Mnger to propgte the CA-signed ertifite. In the right orner of the NSX Mnger pge, lik the s ion. From the drop-down menu, selet Reoot Appline. On the Reoot Confirmtion dilog ox, lik Yes. Connet NSX Mnger to vcenter Server for Consolidted SDDC After you reple the ertifite of n NSX Mnger instne, you reonnet it to Pltform Servies Controller nd vcenter Server to updte the ertifite on these omponents. VMwre, In. 28

Certifite Replement 1 Log in to the NSX Mnger ppline user interfe. Open We rowser nd go to https://sfo01w01nsx01.sfo01.rinpole.lol. Log in using the following redentils. User nme Pssword Vlue dmin nsx_mnger_dmin_pssword 2 Clik Mnge vcenter Registrtion. 3 Under Lookup Servie URL, lik Edit. 4 In the Lookup Servie URL dilog ox, enter the following settings nd lik OK. Lookup Servie Host Vlue sfo01w01ps01.sfo01.rinpole.lol Lookup Servie Port 443 SSO Administrtor User Nme Pssword dministrtor@vsphere.lol vsphere_dmin_pssword 5 In the Trust Certifite? dilog ox, lik Yes. 6 Under vcenter Server, lik Edit. 7 In the vcenter Server dilog ox, enter the following settings, nd lik OK. vcenter Server vcenter User Nme Pssword Vlue sfo01w01v01.sfo01.rinpole.lol sv-nsxmnger@rinpole.lol sv-nsxmnger_pssword 8 In the Trust Certifite? dilog ox, lik Yes. 9 Wit for the Sttus inditors for the Lookup Servie URL nd vcenter Server to hnge to the Conneted sttus. Reonnet NSX Mnger for Consolidted SDDC to vrelize Opertions Mnger After you reple the ertifite on eh NSX Mnger instne in the region, reonnet the NSX dpter in vrelize Opertions Mnger to updte the ertifite on vrelize Opertions Mnger. VMwre, In. 29

Certifite Replement 1 Log in to vrelize Opertions Mnger mster node y using the dministrtion interfe. Open We rowser nd go to https://vrops01svr01.rinpole.lol. Log in using the following redentils. User nme Pssword Vlue dmin vrops_dmin_pssword 2 On the min nvigtion r, lik Administrtion. 3 In the left pne of vrelize Opertions Mnger, under Mngement, lik Certifites. 4 Delete the ertifites with the following CNs. u CN=sfo01w01nsx01.sfo01.rinpole.lol 5 In the left pne of vrelize Opertions Mnger, lik Solutions. 6 From the solution tle on the Solutions pge, selet the Mngement Pk for NSX-vSphere solution, nd lik the Configure ion. 7 In the Mnge Solutions dilog ox, from the Adpter Type tle, selet NSX-vSphere Adpter. 8 9 Clik the sfo01w01nsx01-sfo01 dpter instne, lik Test Connetion, ept the new ertifite, lik Sve settings, nd lik Close. Reple Certifites of the Opertions Mngement Components for Consolidted SDDC If the ertifite of vrelize Opertions Mnger or vrelize Log Insight expires, reple it nd updte it on the mngement omponents in the region to mintin seure onnetion. 1 Reple Certifite on the vrelize Suite Lifeyle Mnger Appline for Consolidted SDDC To estlish trusted onnetion to vrelize Suite Lifeyle Mnger, you reple the SSL ertifite on the ppline with ustom ertifite signed y ertifite uthority ville on the prent Ative Diretory or on the intermedite Ative Diretory. 2 Reple vrelize Opertions Mnger Certifite for Consolidted SDDC Log in to the dministrtor interfe of the mster node of vrelize Opertions Mnger nd use the PEM file generted y the CertGenVVD utility to reple the urrent ertifite. 3 Reple vrelize Log Insight Certifite for Consolidted SDDC Updte the ertifite hin of vrelize Log Insight to use trusted non-defult ertifite fter deployment or to reple ertifite tht is soon to expire. In this wy, onnetion to the vrelize Log Insight user interfe remins trusted. VMwre, In. 30

Certifite Replement Reple Certifite on the vrelize Suite Lifeyle Mnger Appline for Consolidted SDDC To estlish trusted onnetion to vrelize Suite Lifeyle Mnger, you reple the SSL ertifite on the ppline with ustom ertifite signed y ertifite uthority ville on the prent Ative Diretory or on the intermedite Ative Diretory. 1 Renme the ertifites generted using the VMwre Vlidted Design Certifite Genertion Utility for vrslm01svr01.rinpole.lol. Originl Certifite Filenme vrslm01svr01.2.hin.pem vrslm01svr01-orig.key New Certifite Filenme server.rt server.key 2 Overwrite the existing server.rt nd server.key files in the /opt/vmwre/vlm/ert diretory with the previously generted CA signed ertifite files. You n use SCP softwre like WinSCP. 3 Log in to vrelize Suite Lifeyle Mnger ppline y using Seure Shell (SSH) lient. Open n SSH onnetion to vrslm01svr01.rinpole.lol. Log in using following redentils. User nme Pssword Vlue root vrslm_root_pssword 4 Restrt the vrelize Suite Lifeyle Mnger servies to updte the ppline ertifite. Restrt the system servies y running the following ommnd in the SSH session. systemtl restrt vlm-xserver Chek the sttus of the system servies y running the following ommnd in the SSH session. systemtl sttus vlm-xserver 5 After restrting the servies, verify tht the ertifite is updted on the ppline. Close ny opened We rowsers, open new We rowser window, nd go to https://vrslm01svr01.rinpole.lol/vrlm. Verify tht you see the new ertifite in the rowser. VMwre, In. 31

Certifite Replement Reple vrelize Opertions Mnger Certifite for Consolidted SDDC Log in to the dministrtor interfe of the mster node of vrelize Opertions Mnger nd use the PEM file generted y the CertGenVVD utility to reple the urrent ertifite. 1 Log in to vrelize Opertions Mnger mster node y using the dministrtion interfe. Open We rowser nd go to https://vrops01svr01.rinpole.lol/dmin. Log in using the following redentils. User nme Pssword Vlue dmin vrops_dmin_pssword 2 At the upper right orner of the user interfe, lik the SSL Certifite ion. 3 In the SSL Certifite dilog ox, lik Instll New Certifite. 4 In the Instll New Certifite dilog ox, lik Browse, lote the vrops-for-1-pod.2.hin.pem PEM file, nd lik Open. 5 In the Instll New Certifite dilog ox, verify the ertifite detils, nd lik Instll. Reple vrelize Log Insight Certifite for Consolidted SDDC Updte the ertifite hin of vrelize Log Insight to use trusted non-defult ertifite fter deployment or to reple ertifite tht is soon to expire. In this wy, onnetion to the vrelize Log Insight user interfe remins trusted. 1 Log in to the vrelize Log Insight user interfe. Open We rowser nd go to https://sfo01vrli01.sfo01.rinpole.lol. Log in using the following redentils. User nme Pssword Vlue dmin vrli_dmin_pssword 2 In the vrelize Log Insight user interfe, lik the onfigurtion drop-down menu ion nd selet Administrtion. 3 Under Configurtion, lik SSL. VMwre, In. 32

Certifite Replement 4 On the SSL Configurtion pge, next to New Certifite File (PEM formt) lik Choose File, rowse to the lotion of the PEM file on your omputer, nd lik Sve. Certifite Genertion Option Using the CertGenVVD tool Certifite File vrli-for-1-pod.2.hin.pem The ertifite is uploded to vrelize Log Insight. 5 Open We rowser nd go to https://sfo01vrli01.sfo01.rinpole.lol A wrning messge tht the onnetion is not trusted ppers. 6 To review the ertifite, lik the pdlok ion in the ddress r of the rowser, nd verify tht Sujet Alterntive Nme ontins the nmes of the vrelize Log Insight luster nodes. Reple Certifites of the Cloud Mngement Pltform Components for Consolidted SDDC After you generte signed ertifites for the Cloud Mngement Pltform, reple them nd updte them on the mngement omponents in the region to mintin seure onnetion. 1 Reple the vrelize Automtion Certifite for Consolidted SDDC Reple the existing ertifite for ll vrelize Automtion servies from the vrelize Automtion Mngement Console. You reple the ertifite on the vrelize Automtion Appline, IS We server, nd IS Mnger server to mintin trusted ommunition etween the vrelize Automtion nodes. 2 Updte the vrelize Automtion Certifite on vrelize Orhestrtor nd vrelize Business for Consolidted SDDC After you updte the vrelize Automtion ertifite, reonnet vrelize Orhestrtor nd vrelize Business to vrelize Automtion to instll the new ertifite on eh omponent. 3 Updte the vrelize Automtion Certifite on vrelize Opertions Mnger for Consolidted SDDC After you hnge the ertifite of the vrelize Automtion Appline nd IS omponents, updte the ertifite on vrelize Opertions Mnger to keep the ommunition trusted y reonneting the vrelize Automtion Adpter. 4 Reple the Certifite on vrelize Business for Cloud Server for Consolidted SDDC Reple the defult or existing SSL ertifite of vrelize Business for Cloud with new ertifite using the vrelize Business ppline mngement onsole. This ertifite is used when you ess the We interfe of the vrelize Business for Cloud Server. VMwre, In. 33

Certifite Replement Reple the vrelize Automtion Certifite for Consolidted SDDC Reple the existing ertifite for ll vrelize Automtion servies from the vrelize Automtion Mngement Console. You reple the ertifite on the vrelize Automtion Appline, IS We server, nd IS Mnger server to mintin trusted ommunition etween the vrelize Automtion nodes. 1 Log in to the vrelize Automtion ppline. Open We rowser nd go to https://vr01svr01.rinpole.lol:5480 Log in using the following redentils. s User nme Pssword Vlue root vr_ppa_root_pssword 2 On the vra s t, lik the Certifites sut. 3 Under vra Certifite, selet Import. 4 From text editor on the Windows host where you run the CertGenVVD utility, opy the ontent of the ertifite files to the respetive text oxes, nd lik Sve s. Soure Content vr-for-1-pod.key vr-for-1-pod.3.pem Pssphrse you optionlly entered t genertion Trget Text Box RSA Privte Key Certifite Chin Pssphrse 5 Repet the proedure to onfigure the IS We server nd IS Mnger Servie with the new ertifite detils. IS Component Component Type Certifite Ation IS We server IS We Import Certifite IS Mnger Servie Mnger Servie Import Certifite Updte the vrelize Automtion Certifite on vrelize Orhestrtor nd vrelize Business for Consolidted SDDC After you updte the vrelize Automtion ertifite, reonnet vrelize Orhestrtor nd vrelize Business to vrelize Automtion to instll the new ertifite on eh omponent. VMwre, In. 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback