PSC HA 6.5: 3 – Preparing a certificate

For PSC 6.5 HA we require a single certificate that contains all PSC FQDNs and the shared Load Balanced FQDN. This section will explain how to generate a correct certificate either from VMCA or from an External Certificate Authority

Create a psc_ha_csr_cfg.cfg OpenSSL configuration file.

 Using the following as a template, create an OpenSSL configuration file called psc_ha_csr_cfg.cfg

Make a new directory /certs and save this file there.
You must ensure that your subjectAltName values and commonName values are correct for your environment.

The subjectAltName values should contain all PSC FQDNs that will participate in this HA Site, including the Load Balanced FQDN.

The commonName value should be the Load Balanced FQDN


[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName =,,

[ req_distinguished_name ]
countryName = IE
stateOrProvinceName = Cork
localityName = Cork
0.organizationName = VMware
organizationalUnitName = vTSU
commonName =

Generate a Certificate Signing request and Private Key

Using OpenSSL we will generate a certificate signing request (.csr) and a Private Key (.key) using the configuration file completed in the previous step.

openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg

The above command will output a .csr and a .key file

Note: In the above command we use rsa:2048 to create a 2048 bit key length private key. You can modify this value if you wish. For example 4096. 2048 is the minimum.

Generate a certificate from VMCA

This step is only if you want to use VMCA issued certificates. If you wish to use your own Certificate Authority, skip to the next step. (Generate a certificate from an external certificate authority)

If you wish to use VMCA issued certificates (both VMCA or VMCA as a Subordinate) then we would run the following command to generate the signed certificate (.crt)

This command takes in the .csr and the the .cfg file created in earlier steps.

openssl x509 -req -days 3650 -in /certs/psc-ha-vip.csr -out /certs/psc-ha-vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg

The above command will output a .crt file that will be the signed certificate.

Copy the current VMCA root certificate and call it cachain.crt.

cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt

Create a full chained Machine SSL Certificate that contains the newly created certificate and the VMCA root certificate. Call this chained certificate psc-ha-vip-chain.crt

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/cachain.crt >> /certs/psc-ha-vip-chain.crt

Generate a certificate from an external certificate authority

If you do not wish to use VMCA to generate the certificate you can use your own certificate authority.

Provide the certificate signing request generated in the previous steps to your preferred certificate authority.

The following VMware KB article explains this process for a Microsoft Certificate Authority.

Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)

Create a full chained Machine SSL Certificate that contains the newly created certificate and all Intermediate CA(s), if applicable, and Root CA. Call this chained certificate psc-ha-vip-chain.crt

For example, in the command below I have my new certificate psc-ha-vip.crt, two Intermediate CAs CustomInterCA1.crt, CustomInterCA2.crt and finally my Root CA CustomRootCA.crt. Concatenate these certificates into a chain.

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA1.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomInterCA2.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomRootCA.crt >> /certs/psc-ha-vip-chain.crt

Create a second chained Certificate that only contains the Intermediate CA(s), if applicable, and Root CA. Call this chained certificate cachain.crt.

cat /certs/CustomInterCA1.crt >> /certs/cachain.crt
cat /certs/CustomInterCA2.crt >> /certs/cachain.crt
cat /certs/CustomRootCA.crt >> /certs/cachain.crt

Preparing certificates

You should now have the following three files.

  • psc-ha-vip-chain.crt
  • psc-ha-vip.key
  • cachain.crt

Validate the certificate

Run the following OpenSSL command against the psc-ha-vip-chain.crt

openssl x509 -in /certs/psc-ha-vip-chain.crt -noout -text

Verify that the Subject CN value is the correct Load Balanced FQDN.

Verify that all PSC FQDNs and Load Balanced FQDN are present in the DNS values.

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California,, OU=VMware Engineering
            Not Before: Aug 26 10:03:00 2016 GMT
            Not After : Aug 24 10:03:00 2026 GMT
        Subject: C=IE, ST=Cork, L=Cork, O=VMware, OU=vTSU,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
    Signature Algorithm: sha256WithRSAEncryption

Next: Replacing the Machine SSL Certificate