vCenter HA: Replace Certificates for vCenter

***UPDATED***

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

 

In this section, we are going to be configuring CSRs, requesting certificates, and replacing them on our Platform Services Controllers. You will need to make sure that you have some kind of certificate authority available in your environment. We will be going over using a Microsoft CA to issue certificates. There is a KB article about how to configure this, but it doesn’t exactly work. Use this post:  Configure Microsoft CA Templates for VMware with SHA2-256

If you don’t have SHA2 then shame on you. You should get on it. Even if you replace your certificates with SHA1, you will still receive those pesky weak key errors in Chrome and Firefox. IE hasn’t deprecated SHA1, but its coming from what I understand.

You will need to download OpenSSL for Windows (unless you are using Linux).

Here is the link for Windows:  Win32 OpenSSL

Go ahead and download either the 32bit or 64bit Light version of 1.1.0e. Once it is downloaded, go ahead and install it.

Now that you have your Certificate Authority and OpenSSL ready to go, we will begin.

Here is an example config for OpenSSL:  psca.cfg

Download the example and modify it for your FQDNs for the servers and VIP.

Save the file to your OpenSSL\bin directory.

Open a command prompt and run the following command:

openssl req -new -nodes -out vca.csr -newkey rsa:2048 -keyout psca.key -config vca.cfg

Continue reading

vCenter HA: Replace Certificates for Platform Services Controllers

***UPDATED***

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

 

In this section, we are going to be configuring CSRs, requesting certificates, and replacing them on our Platform Services Controllers. You will need to make sure that you have some kind of certificate authority available in your environment. We will be going over using a Microsoft CA to issue certificates. There is a KB article about how to configure this, but it doesn’t exactly work. Use this post:  Configure Microsoft CA Templates for VMware with SHA2-256

If you don’t have SHA2 then shame on you. You should get on it. Even if you replace your certificates with SHA1, you will still receive those pesky weak key errors in Chrome and Firefox. IE hasn’t deprecated SHA1, but its coming from what I understand.

You will need to download OpenSSL for Windows (unless you are using Linux).

Here is the link for Windows:  Win32 OpenSSL

Go ahead and download either the 32bit or 64bit Light version of 1.1.0e. Once it is downloaded, go ahead and install it.

Now that you have your Certificate Authority and OpenSSL ready to go, we will begin.

 

Here is an example config for OpenSSL:  psca.cfg

Download the example and modify it for your FQDNs for the servers and VIP.

Save the file to your OpenSSL\bin directory.

Open a command prompt and run the following command:

 

openssl req -new -nodes -out psca.csr -newkey rsa:2048 -keyout psca.key -config psca.cfg

Continue reading