This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.
Part 5: vCenter HA: Deploy vCenter
Part 7: vCenter HA: License vCenter
Part 11: vCenter HA: Configure vCenter HA
Part 12+: Advanced Tasks (Coming soon)
In this section, we are going to be configuring CSRs, requesting certificates, and replacing them on our Platform Services Controllers. You will need to make sure that you have some kind of certificate authority available in your environment. We will be going over using a Microsoft CA to issue certificates. There is a KB article about how to configure this, but it doesn’t exactly work. Use this post: Configure Microsoft CA Templates for VMware with SHA2-256
If you don’t have SHA2 then shame on you. You should get on it. Even if you replace your certificates with SHA1, you will still receive those pesky weak key errors in Chrome and Firefox. IE hasn’t deprecated SHA1, but its coming from what I understand.
You will need to download OpenSSL for Windows (unless you are using Linux).
Here is the link for Windows: Win32 OpenSSL
Go ahead and download either the 32bit or 64bit Light version of 1.1.0e. Once it is downloaded, go ahead and install it.
Now that you have your Certificate Authority and OpenSSL ready to go, we will begin.
Here is an example config for OpenSSL: psca.cfg
Download the example and modify it for your FQDNs for the servers and VIP.
Save the file to your OpenSSL\bin directory.
Open a command prompt and run the following command:
openssl req -new -nodes -out vca.csr -newkey rsa:2048 -keyout psca.key -config vca.cfg