Configuring certificates for Windows Platform Services Controller for High Availability in vSphere 6.5 and 6.7
search cancel

Configuring certificates for Windows Platform Services Controller for High Availability in vSphere 6.5 and 6.7


Article ID: 342881


Updated On:


VMware vCenter Server


This article contains information on creating certificates to use in configuring Platform Service Controller High Availability.


VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.5.x


This article is part of a series for configuring PSC HA, for the main article, see:

Creating the certificate request

  1. Connect to the vCenter Server or Platform Service Controller.
  2. Create a C:\certs\ folder.
  3. Create the psc_ha_csr_cfg.cfg file with these entries using a plain text editor:

    [ req ]
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req
    [ v3_req ]
    basicConstraints = CA:false
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName =,,
    [ req_distinguished_name ]
    countryName = Country
    stateOrProvinceName = State
    localityName = City
    0.organizationName = Company
    organizationalUnitName = Department
    commonName =

    • The subjectAltName values should contain all PSC FQDNs that will participate in this HA Site, including the Load Balanced FQDN.
    • The commonName value should be the Load Balanced FQDN.
  4. Open an elevated command prompt.
  5. Run this command to create a psc-ha-vip.csr and a psc-ha-vip.key file.

    "%VMWARE_OPENSSL_BIN%"openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg

    Note: 2048 bit key length private key is created with rsa:2048. This value can be increased, 2048 is the minimum supported key length.

Generating a certificate from the VMCA

  1. Run this command to create the certificate from the psc-ha-vip.csr and the the psc_ha_csr_cfg.cfg files outputting a psc-ha-vip.crt file.

    "%VMWARE_OPENSSL_BIN%"openssl.exe x509 -req -days 3650 -in C:\certs\psc-ha-vip.csr -out C:\certs\psc-ha-vip.crt -CA <path>root.cer -CAkey <path>privatekey.pem -extensions v3_req -CAcreateserial -extfile C:\certs\psc_ha_csr_cfg.cfg
  2. Run this command to copy the current VMCA root certificate and rename it to cachain.crt.

    more C:\certs\root.cer >> C:\certs\cachain.crt
  3. Run this command to create Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate named psc-ha-vip-chain.crt.

    more C:\certs\psc-ha-vip.crt >> C:\certs\psc-ha-vip-chain.crt
    more C:\certs\cachain.crt >> C:\certs\psc-ha-vip-chain.crt

Generating a certificate from an external certificate authority

  1. Provide the certificate signing request generated in the previous steps to your preferred certificate authority. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority(2112014).
  2. Run these commands to create a certificate chain named psc-ha-vip-chain.crt, using the Root CA, Machine SSL Certificate, and any Intermediate CA(s).

    Note: Depending on the certificate server configuration adding the CustomInterCA#.crt may not be needed.

    more C:\certs\psc-ha-vip.crt >> C:\certs\psc-ha-vip-chain.crt
    more C:\certs\CustomInterCA1.crt >> C:\certs\psc-ha-vip-chain.crt
    more C:\certs\CustomInterCA2.crt >> C:\certs\psc-ha-vip-chain.crt
    more C:\certs\CustomRootCA.crt >> C:\certs\psc-ha-vip-chain.crt

  3. If there is intermediate certificates, run these commands to create a cachain.crt of the intermediate certificates and the root certificate.

    more C:\certs\CustomInterCA1.crt >> C:\certs\cachain.crt
    more C:\certs\CustomInterCA2.crt >> C:\certs\cachain.crt
    more C:\certs\CustomRootCA.crt >> C:\certs\cachain.crt

Preparing certificates

Three certificates should have been created
  • psc-ha-vip-chain.crt
  • psc-ha-vip.key
  • cachain.crt
Validate the certificate information
  1. Run this command to open the certificate:

    "%VMWARE_OPENSSL_BIN%"openssl.exe x509 -in C:\certs\psc-ha-vip-chain.crt -noout -text
  2. Ensure that the Subject CN value is the correct Load Balanced FQDN.
  3. Ensure that the the DNS values contain all PSC FQDNs and Load Balancer FQDN.

Replacing the Certificates on the Platform Services Controller

  1. Launch the Certificate-Manager with this command:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
  2. Select Option 1, then Option 2.
  3. Provide the paths to the psc-ha-vip-chain.crt, psc-ha-vip.key and cachain.crt files created in the Preparing Certificates section.

    For example:

    Please provide valid custom certificate for Machine SSL.
    File : C:\certs\psc-ha-vip-chain.crt
    Please provide valid custom key for Machine SSL.
    File : C:\certs\psc-ha-vip.key
    Please provide the signing certificate of the Machine SSL certificate
    File : C:\certs\cachain.crt
    Important: Replace the Machine SSL Certificate of the additional PSC using the same certificate.

Additional Information

Configuring Platform Service Controller HA in vSphere 6.5
vSphere 6.55 での高可用性向けに Windows Platform Services Controller の証明書を構成する
在 vSphere 6.55 中为 Windows Platform Services Controller 高可用性配置证书
Konfigurieren von Zertifikaten für Windows Platform Services Controller für High Availability in vSphere 6.55