6.5.1
Table Of Contents
- Platform Services Controller Administration
- Contents
- About Platform Services Controller Administration
- Updated Information
- Getting Started with Platform Services Controller
- vCenter Server and Platform Services Controller Deployment Types
- Deployment Topologies with External Platform Services Controller Instances and High Availability
- Understanding vSphere Domains, Domain Names, and Sites
- Platform Services Controller Capabilities
- Managing Platform Services Controller Services
- Managing the Platform Services Controller Appliance
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- Configuring vCenter Single Sign-On Identity Sources
- Identity Sources for vCenter Server with vCenter Single Sign-On
- Set the Default Domain for vCenter Single Sign-On
- Add a vCenter Single Sign-On Identity Source
- Edit a vCenter Single Sign-On Identity Source
- Remove a vCenter Single Sign-On Identity Source
- Use vCenter Single Sign-On With Windows Session Authentication
- vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Security Token Service STS
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members From a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- vSphere Security Certificates
- Certificate Requirements for Different Solution Paths
- Certificate Management Overview
- Managing Certificates with the Platform Services Controller Web Interface
- Explore Certificate Stores from the Platform Services Controller Web Interface
- Replace Certificates with New VMCA-Signed Certificates from the Platform Services Controller Web Interface
- Make VMCA an Intermediate Certificate Authority from the Platform Services Controller Web Interface
- Set up Your System to Use Custom Certificates from the Platform Services Controller
- Managing Certificates from the vSphere Web Client
- Managing Certificates with the vSphere Certificate Manager Utility
- Certificate Manager Options and the Workflows in This Document
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Manual Certificate Replacement
- Managing Services and Certificates With CLI Commands
- Troubleshooting Platform Services Controller
- Determining the Cause of a Lookup Service Error
- Unable to Log In Using Active Directory Domain Authentication
- vCenter Server Login Fails Because the User Account Is Locked
- VMware Directory Service Replication Can Take a Long Time
- Export a Platform Services Controller Support Bundle
- Platform Services Controller Service Logs Reference
4 Generate the key.
/usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key --
pubkey=/root/newsts/sts.pub
5 Generate the certificate
/usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer --
privkey=/root/newsts/sts.key --config=/root/newsts/certool.cfg
6 Convert the certificate to PK12 format.
openssl pkcs12 -export -in /root/newsts/newsts.cer -inkey /root/newsts/sts.key -
certfile /etc/vmware-sso/keys/ssoserverRoot.crt -name "newstssigning" -passout pass:changeme -out
newsts.p12
7 Add the certificate to the Java key store (JKS).
/usr/java/jre-vmware/bin/keytool -v -importkeystore -srckeystore newsts.p12 -srcstoretype pkcs12 -
srcstorepass changeme -srcalias newstssigning -destkeystore root-trust.jks -deststoretype JKS -
deststorepass testpassword -destkeypass testpassword
/usr/java/jre-vmware/bin/keytool -v -importcert -keystore root-trust.jks -deststoretype JKS -
storepass testpassword -keypass testpassword -file /etc/vmware-sso/keys/ssoserverRoot.crt -alias
root-ca
8 When prompted, type Yes to accept the certificate into the keystore.
What to do next
You can now import the new certificate. See Refresh the Security Token Service Certificate.
Generate a New STS Signing Certiļ¬cate on a vCenter Windows
Installation
If you want to replace the default STS signing certificate, you have to first generate a new certificate and
add it to the Java key store. This procedure explains the steps on a Windows installation.
Note This certificate is valid for ten years and is not an external-facing certificate. Do not replace this
certificate unless your company's security policy requires it.
See Generate a New STS Signing Certificate on the Appliance if you are using a virtual appliance.
Procedure
1 Create a new directory to hold the new certificate.
cd C:\ProgramData\VMware\vCenterServer\cfg\sso\keys\
mkdir newsts
cd newsts
Platform Services Controller Administration
VMware, Inc. 61