-------------------------------------------------------------------------Krok 1--------------------------------------------------------------------------------------------
root@ [ ~ ]# pwd /root root@ [ ~ ]# mkdir certs
root@ [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
*** Welcome to the vSphere 6.7 Certificate Manager *** | | -- Select Operation -- | | 1. Replace Machine SSL certificate with Custom Certificate | | 2. Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates | | 3. Replace Machine SSL certificate with VMCA Certificate | | 4. Regenerate a new VMCA Root Certificate and replace all certificates | | 5. Replace Solution user certificates with Custom Certificate | | 6. Replace Solution user certificates with VMCA certificates | | 7. Revert last performed operation by re-publishing old certificates | 8. Reset all Certificates Note : Use Ctrl-D to exit. Option[1 to 8]:
Note : Use Ctrl-D to exit. Option[1 to 8]: 1 Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password: 1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate Option [1 or 2]:
Please provide a directory location to write the CSR(s) and PrivateKey(s) to: Output directory path: /root/certs Please configure certool.cfg with proper values before proceeding to next step. Press Enter key to skip optional parameters or use Default value. Enter proper value for 'Country' [Default value : US] : Country Enter proper value for 'Name' [Default value : CA] : Name for VC Enter proper value for 'Organization' [Default value : VMware] : DellEMC Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : Services Enter proper value for 'State' [Default value : California] : Country Enter proper value for 'Locality' [Default value : Palo Alto] : DIC Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : IP of VCSA Enter proper value for 'Email' [Default value : email@acme.com] : Email address Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [ Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : VC FQDN Enter proper value for VMCA 'Name' :qpsc 2019-03-20T11:51:14.121Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/root/certs/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub'] 2019-03-20T11:51:14.334Z Done running command 2019-03-20T11:51:14.335Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsr', '--privkey', '/root/certs/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub', '--config', '/var/tmp/vmware/certool.cfg', '--csrfile', '/root/certs/vmca_issued_csr.csr'] 2019-03-20T11:51:14.452Z Done running command CSR generated at: /root/certs/vmca_issued_csr.csr 1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate 2. Exit certificate-manager Signing request file is at /root/certs/vmca_issued_csr.csr Option [1 or 2]: 2 root@qpsc [ ~ ]# ls -h /root/certs/ vmca_issued_csr.csr vmca_issued_key.key
root@qpsc [ ~ ]# cat /root/certs/vmca_issued_csr.csr-----BEGIN CERTIFICATE REQUEST----- MIIDBDCCAewCAQAwXzENMAsGA1UEAwwEcXBzYzELMAkGA1UEBhMCQUUxDjAMBgNV BAgMBUR1YmFpMQwwCgYDVQQHDANESUMxEDAOBgNVBAoMB0RlbGxFTUMxETAPBgNV BAsMCFNlcnZpY2VzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0f2 EFXQYOTGJ99tJYCLrCPGelLoWQqVcEBtwA6VnOOzRyJr2TX8q9TYgnbXpYwkgH57 OO8Cs663CEUIRqDITbBjPaEUSm3hy68tsH9Y4X+7VKJhx92GSLAuioXUGOzjoIHO SgEI0URwaSRoVQ5TRvFYiIURY8wf5ofTl1pOisKA3VOy2XduKtXCwBh9uA9WOdw0 5MeCbO2P9qcK/MylxHg7WvqXk0KqEC4QQdKtcSCX5U/jaTTwk8YSZ9pjZVkIV9Gc dM7lo4QLJ9Jw2we5+u0doMqhdm/QI30n0fpCRtknIDZCItbZulSsgd8smBfoS5Uj ypTcBiBX4Xig3/oeQwIDAQABoGAwXgYJKoZIhvcNAQkOMVEwTzAuBgNVHREEJzAl gQ5hZG1pbkBkdWJhaS5hZIcECjvzVoINcXBzYy5kdWJhaS5hZDAdBgNVHQ4EFgQU YT9u3+1wEJ7jq9QE6LyrtUwlEsYwDQYJKoZIhvcNAQELBQADggEBAEiG/0v9yV7t EWXJ4yXfvgI44TAA62mJM75ymLf38yPTe4295y3OT5U/q1/sNuwHguyyFAdmpXsd TpocgKYiiSsMZNadXASq0GW1nzKD76geV6v9FgvnWRvHavVLDBwVPZw4+zNMuPaJ SCm8y+Ww/uDReK7PUnVc5ofZI+/DFWXPE3RnIzfL/tyIQf+FD6aemfAaK7ISa1XU kBfgTR2qFU+HKwPyrEufJpWxMWfDk6AQTbpm5P5+P11WQ0ramiF+iriNa3KzMOqG 5X7FAYvVOGTP4L5JpOJ8jP2xi8+diHd0D03IPQ1vYtVncVRxQTcf6axyqPq0F0sq b2vw6oeu7gk= -----END CERTIFICATE REQUEST-----
root@qpsc [ ~ ]# root@qpsc [ ~ ]# cat /root/certs/vmca_issued_key.key-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3R/YQVdBg5MYn 320lgIusI8Z6UuhZCpVwQG3ADpWc47NHImvZNfyr1NiCdteljCSAfns47wKzrrcI RQhGoMhNsGM9oRRKbeHLry2wf1jhf7tUomHH3YZIsC6KhdQY7OOggc5KAQjRRHBp JGhVDlNG8ViIhRFjzB/mh9OXWk6KwoDdU7LZd24q1cLAGH24D1Y53DTkx4Js7Y/2 pwr8zKXEeDta+peTQqoQLhBB0q1xIJflT+NpNPCTxhJn2mNlWQhX0Zx0zuWjhAsn 0nDbB7n67R2gyqF2b9AjfSfR+kJG2ScgNkIi1tm6VKyB3yyYF+hLlSPKlNwGIFfh eKDf+h5DAgMBAAECggEAGnBpEKYwbynRZAMZDaXjgCuRAChhmCastAq3SlNQRdeb DxHqGOVu06LasMdQCHOU+GxGfkoMS7tScAD1Vqru+jYNuuA3uxzqy6UzpBhay/zP G0BpdpmAO5AexqDTndzeYVMYXRiVGwsSZDh6THrKjJtYOClp/sl9eJXzcgv29JEn 4jaHa+7JPvtFsQ9oQWLq6gRu59Ytr1KqfiDknHQMGHSXjggaD8hiUkbpe766TemY E0vT8KwLvUlKFB52G/iegDhuX/GBCeqyzshkimt0refsQ+h0cik2VI/d4vlz5Jy+ AWu8IJ3zL5x7J1Ts5IXXjqL+E4PxlVEZm1NSn4jWMQKBgQDa4N/dgpClHdG/MP63 7Iu1gG8I9SFho4NcrBiPjbKOZCvHcmU9L3oRWTTfhapt8cOVmfPueT0wrvd/hJtB +4XT0V8YXzgM4q4S4iC7Qcf6XARgDIrb98IUNod5rsViCVRQkiRui+0vLU0w/iLd 3vPmooyKG0ipAPa6TYdLlv7kDwKBgQDWXYt0qCGfP3nXW58uBpFSR5suGFh63QKa YnTYjCqYJdg7TC/3/VxVfPAZNovXY/ZvnPn0DqzW39nNLTXdDjnR4fKG4+46vSkG 6J639aQSVfGCY94QDWQ60k8iqRm4RUzgkdBBMZU9pzIxDceQ6v/T1J11YsX39Ha1 xkiU15dejQKBgFovC65eTLDr329ShbFMsqffOmDLd6yeTdLSSfBkJu0KkwtDtDkI pdgeFG4Ayh8w3TB31Y0twSuc+/c7sSj3tMV44CDPou2UPLslFu1xBi++2EKnCFPn +ryPVzSo8UUaqPXlsUMnPlwQ41xLahxW79HYqeWBpmeUMRTEOvnHRlC7AoGBAIPP nXKr95CeTWM4+VYpv63iTe84FR/nSjR4GfUVqxNHIgDERjKs3dvLKS+3tKFK3Duh QKjrZSfzGU/qXtaAatk9oA2FlfUUX2faHc5sAukrY4eTtPYV5e2tZ++eHyyJoE3u GyobPPNeHaTAHlhjx88PS4rko2pmLaB0PikXsAH5AoGAFl++M9nQhSVC9vWQKwFb 4zX8SF06rrBwIgvozc8SRqltmDR21BbeQ0vKW+iHtu/FJpnkzLNxSQWYHURr1noF M52YT/4pLmPnIFggCd/MMBpzxg4uBiXaXQI0E6V1SAfJysyrq6mC88q7utm52RWc bMbWTeuNVR7T6bFnhlkzOR4= -----END PRIVATE KEY-----
-------------------------------------------------------------------------Krok 2--------------------------------------------------------------------------------------------
scp /cygdrive/c/certs/* root@:/root/certs/ VMware vCenter Server Appliance 6.7.0.21000 Type: VMware Platform Services Controller cachain.p7b 100% 1328 1.3KB/s 00:00 cachaincer.cer 100% 1266 1.2KB/s 00:00 certnew.cer 100% 2004 2.0KB/s 00:00 certnew.p7b 100% 5238 5.1KB/s 00:00 vmca_issued_csr.csr 100% 1122 1.1KB/s 00:00 vmca_issued_key.key 100% 1703 1.7KB/s 00:00
SSH root VMware vCenter Server Appliance 6.7.0.21000 Typ: Kontroler
usług platformy VMware root@qpsc [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
*** Welcome to the vSphere 6.7 Certificate Manager *** | | -- Select Operation -- | | 1. Replace Machine SSL certificate with Custom Certificate | | 2. Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates | | 3. Replace Machine SSL certificate with VMCA Certificate | | 4. Regenerate a new VMCA Root Certificate and replace all certificates | | 5. Replace Solution user certificates with Custom Certificate | | 6. Replace Solution user certificates with VMCA certificates | | 7. Revert last performed operation by re-publishing old certificates | 8. Reset all Certificates Note : Use Ctrl-D to exit. Option[1 to 8]:
Option[1 to 8]: 1 Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password: 1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate Option [1 or 2]: Import custom: Option [1 or 2]: 2 Please provide valid custom certificate for Machine SSL. File : /root/certs/certnew.cer Please provide valid custom key for Machine SSL. File : /root/certs/vmca_issued_key.key Please provide the signing certificate of the Machine SSL certificate File : /root/certs/cachaincer.cer You are going to replace Machine SSL cert using custom cert Continue operation : Option[Y/N] ? : Y Command Output: /root/certs/certnew.cer: OK Get site nameCompleted [Replacing Machine SSL Cert...] default-first-site Lookup all services Get service default-first-site:c8b2c8ae-96a0-4104-aecd-b54df3676574 Update service default-first-site:c8b2c8ae-96a0-4104-aecd-b54df3676574; spec: /tmp/svcspec_t8ya_1yk Get service default-first-site:0b3330ad-5ad9-4754-8756-4cb1ebd8d11a Update service default-first-site:0b3330ad-5ad9-4754-8756-4cb1ebd8d11a; spec: /tmp/svcspec_wgnl6ln8 ...................................... ..................................... Get service 684e18e9-bbb5-4054-95aa-53a1d75449dc Update service 684e18e9-bbb5-4054-95aa-53a1d75449dc; spec: /tmp/svcspec_nudv5jgy Get service a5516943-a60c-463e-915c-19c7a55b771e_com.vmware.vxrail Don't update service a5516943-a60c-463e-915c-19c7a55b771e_com.vmware.vxrail Get service b79e1e3f-42c7-4e96-80df-ea6459560d91 Don't update service b79e1e3f-42c7-4e96-80df-ea6459560d91 Get service c4f48c92-184a-4cd9-85c6-b4ed89273fa5 ...................................... ..................................... Get service 76f0982a-ec9a-48e2-9180-0730bce9d05e_kv Don't update service 76f0982a-ec9a-48e2-9180-0730bce9d05e_kv Get service 3474fde1-bbdc-48a3-923b-5be4970b00b8 Don't update service 3474fde1-bbdc-48a3-923b-5be4970b00b8 Updated 11 service(s) Status : 100% Completed [All tasks completed successfully] Please restart all services in associated vCenter Server/s for changes made in Platform Service Controller machine to reflect Perform restart operation on the vCenter Server/s by using 'service-control --stop --all' and 'service-control --start --all'