Configuring certificates for PSC for High Availability in vSphere 6.5 and 6.7
search cancel

Configuring certificates for PSC for High Availability in vSphere 6.5 and 6.7


Article ID: 322368


Updated On:


VMware vCenter Server


This article provides information on creating certificates to use in configuring Platform Service Controller High Availability.


VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x


This article is part of a series for configuring PSC HA, for the main article, see:

Process to create certificates to use in configuring PSC High Availability:

  1. Creating the certificate request
  2. Generating a Certificate
  3. Preparing Certificates
  4. Replacing the Certificates on the Platform Services Controller

Creating the certificate request

  1. Using a text editor, create the psc_ha_csr_cfg.cfg file with these entries:

    [ req ]
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr

    x509_extensions = v3_req
    req_extensions = v3_req
    [ v3_req ]
    basicConstraints = CA:false
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment


    subjectAltName =,,
    [ req_distinguished_name ]
    countryName = Country
    (NOTE: Country name should be two letters. For Example: CA for Canada)
    stateOrProvinceName = State
    localityName = City
    0.organizationName = Company
    organizationalUnitName = Department
    commonName =

    • The subjectAltName values should contain all PSC FQDNs that will participate in this HA Site, including the Load Balanced FQDN.
    • The commonName value should be the Load Balanced FQDN.
  2. Run this command to create a psc-ha-vip.csr and a psc-ha-vip.key file.

    openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg

    Note: 2048 bit key length private key is created with rsa:2048. This value can be increased, 2048 is the minimum supported key length.

Generating a Certificate

Generating a certificate from the VMCA

  1. Edit psc_ha_csr_cfg.cfg and uncomment the line "#authorityKeyIdentifier=keyid,issuer" by removing '#'

    vi /certs/psc_ha_csr_cfg.cfg, press Insert key and delete the # from line "#authorityKeyIdentifier=keyid,issuer", save the file (press Esc key, type wq! and Enter)
  2. Run this command to create the certificate from the psc-ha-vip.csr and the the psc_ha_csr_cfg.cfg file outputting a psc-ha-vip.crt file.

    openssl x509 -req -days 3650 -in /certs/psc-ha-vip.csr -out /certs/psc-ha-vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg
  3. Run this command to copy the current VMCA root certificate and rename it to cachain.crt.

    cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt
  4. Run this command to create Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate named psc-ha-vip-chain.crt.

    cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/cachain.crt >> /certs/psc-ha-vip-chain.crt

Generating a certificate from an external certificate authority

  1. Provide the certificate signing request generated in the previous steps to preferred certificate authority. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority(2112014).
  2. Run these commands to create a certificate chain named psc-ha-vip-chain.crt, using Root CA, Machine SSL Certificate, and any Intermediate CA(s).

    Note: Depending on the certificate server configuration adding the CustomInterCA#.crt may not be needed.

    cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/CustomInterCA1.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/CustomInterCA2.crt >> /certs/psc-ha-vip-chain.crt
    cat /certs/CustomRootCA.crt >> /certs/psc-ha-vip-chain.crt

  3. If there is intermediate certificates, run these commands to create a cachain.crt of the intermediate certificates and the root certificate.

    cat /certs/CustomInterCA1.crt >> /certs/cachain.crt
    cat /certs/CustomInterCA2.crt >> /certs/cachain.crt
    cat /certs/CustomRootCA.crt >> /certs/cachain.crt

Preparing Certificates

Three certificates should have been created:
  • psc-ha-vip-chain.crt
  • psc-ha-vip.key
  • cachain.crt
Validate the certificate information
  1. Run this command to open the certificate:

    openssl x509 -in /certs/psc-ha-vip-chain.crt -noout -text
  2. Ensure that the Subject CN value is the correct Load Balanced FQDN of VIP.
  3. Ensure that the the DNS values contain all PSC FQDNs and Load Balancer FQDN.

Replacing the Certificates on the Platform Services Controller

Note: Replacing the certificate needs to be done on all PSCs instead of just on the primary node.

  1. Launch the Certificate-Manager using this command:

  2. Select Option 1, then Option 2.
  3. Provide the paths to the psc-ha-vip-chain.crt, psc-ha-vip.key and cachain.crt files created in the Preparing Certificates section.

    For example:

    Please provide valid custom certificate for Machine SSL.
    File : /certs/psc-ha-vip-chain.crt
    Please provide valid custom key for Machine SSL.
    File : /certs/psc-ha-vip.key
    Please provide the signing certificate of the Machine SSL certificate
    File : /certs/cachain.crt
    Important: Replace the Machine SSL Certificate of the additional PSC using the same certificate.

Additional Information

Configuring Platform Service Controller HA in vSphere 6.5
Configuring PSC Appliance for High Availability in vSphere 6.5

Read this article in different languages here:
vSphere 6.5 の高可用性向けに PSC の証明書を構成する
如何在 vSphere 6.5 中为 PSC 高可用性配置证书
Konfigurieren von Zertifikaten für PSC für High Availability in vSphere 6.5