Configuring certificates for PSC for High Availability in vSphere 6.5 and 6.7

VMware vCenter Server

This article provides information on creating certificates to use in configuring Platform Service Controller High Availability.

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x

This article is part of a series for configuring PSC HA, for the main article, see:

Process to create certificates to use in configuring PSC High Availability:

Using a text editor, create the psc_ha_csr_cfg.cfg file with these entries:

[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
x509_extensions = v3_req
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
#authorityKeyIdentifier=keyid,issuer
subjectAltName = DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
[ req_distinguished_name ]
countryName = Country (NOTE: Country name should be two letters. For Example: CA for Canada)
stateOrProvinceName = State
localityName = City
0.organizationName = Company
organizationalUnitName = Department
commonName = psc-ha-vip.domain.com

Notes:
- The subjectAltName values should contain all PSC FQDNs that will participate in this HA Site, including the Load Balanced FQDN.
- The commonName value should be the Load Balanced FQDN.
Run this command to create a psc-ha-vip.csr and a psc-ha-vip.key file.

openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg

Note: 2048 bit key length private key is created with rsa:2048. This value can be increased, 2048 is the minimum supported key length.

Edit psc_ha_csr_cfg.cfg and uncomment the line "#authorityKeyIdentifier=keyid,issuer" by removing '#'
vi /certs/psc_ha_csr_cfg.cfg, press Insert key and delete the # from line "#authorityKeyIdentifier=keyid,issuer", save the file (press Esc key, type wq! and Enter)
Run this command to create the certificate from the psc-ha-vip.csr and the the psc_ha_csr_cfg.cfg file outputting a psc-ha-vip.crt file.

openssl x509 -req -days 3650 -in /certs/psc-ha-vip.csr -out /certs/psc-ha-vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg
Run this command to copy the current VMCA root certificate and rename it to cachain.crt.

cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt
Run this command to create Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate named psc-ha-vip-chain.crt.

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/cachain.crt >> /certs/psc-ha-vip-chain.crt

Provide the certificate signing request generated in the previous steps to preferred certificate authority. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority(2112014).
Run these commands to create a certificate chain named psc-ha-vip-chain.crt, using Root CA, Machine SSL Certificate, and any Intermediate CA(s).

Note: Depending on the certificate server configuration adding the CustomInterCA#.crt may not be needed.

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA1.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA2.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomRootCA.crt >> /certs/psc-ha-vip-chain.crt
If there is intermediate certificates, run these commands to create a cachain.crt of the intermediate certificates and the root certificate.

cat /certs/CustomInterCA1.crt >> /certs/cachain.crt
cat /certs/CustomInterCA2.crt >> /certs/cachain.crt
cat /certs/CustomRootCA.crt >> /certs/cachain.crt

Three certificates should have been created:

Validate the certificate information

Run this command to open the certificate:

openssl x509 -in /certs/psc-ha-vip-chain.crt -noout -text
Ensure that the Subject CN value is the correct Load Balanced FQDN of VIP.
Ensure that the the DNS values contain all PSC FQDNs and Load Balancer FQDN.

Note: Replacing the certificate needs to be done on all PSCs instead of just on the primary node.

Launch the Certificate-Manager using this command:

/usr/lib/vmware-vmca/bin/certificate-manager
Select Option 1, then Option 2.
Provide the paths to the psc-ha-vip-chain.crt, psc-ha-vip.key and cachain.crt files created in the Preparing Certificates section.

For example:

Please provide valid custom certificate for Machine SSL.
File : /certs/psc-ha-vip-chain.crt
Please provide valid custom key for Machine SSL.
File : /certs/psc-ha-vip.key
Please provide the signing certificate of the Machine SSL certificate
File : /certs/cachain.crt
Important: Replace the Machine SSL Certificate of the additional PSC using the same certificate.