- VMware Technology Network
- :
- Cloud & SDDC
- :
- vCenter
- :
- VMware vCenter™ Discussions
- :
- vCenter 6.7 Upd1 Custom certificates and multi-sit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vCenter 6.7 Upd1 Custom certificates and multi-site install
Hi
I am in the process of deploying a new vSphere 6.7 Update 1 environment for a customer. From a hardware perspective the setup is a follows:
There are two physical separate datacenters each consisting of the following hardware.
1 x HPE C7000 enclosure
6 x HPE Proliant BL460c Gen 10 blades. More to be added at a later stage.
Storage is FC backend.
I have done a couple of these design and implementations for other customers (vSphere 6.5), using John Kozej's brilliant guide https://thewificable.com/2017/01/06/vcenter-6-5-high-availability-overview-part-1/ which I have found very useful. It's very helpful to create the correct workflow, especially when it comes to the part of custom certificates.
With the external PSC it works brilliantly, as long as you get the two (or more) PSC's installed, create and install custom certificates, and join them to the domain, you can deploy vCenter's and ESXi hosts to your hearts desire, all deployed with the correct custom certificate, all working beautifully.
I then started this new venture, based on the newest vSphere 6.7 Update 1. And no matter where I look, including in VMware's own blogs, they keep on talking about the external PSC is dead, and that customers should obstain from using it. And now even ELM is supported, so no more need to use the external PSC at all. But is that completely true, or what ?.
The reason why I ask the question is simply this. When it comes to implementing custom certificates, it doesn't seem to be as easy and straight forward, as with an external PSC. My idea was to have a vCenter Server with Embedded PSC, implemented with vCenter HA and custom certificates, one in each datacenter. Both vCenter Servers in the same SSO domain, with Embedded Linked Mode, to take advantage of a single pane of glass administration.
I am now in the situation due to time pressure in this project, that I have had to first install the 1st vcenter with embedded PSC, and the first 6 ESXi host in a very basic setup, so the customer could start to migrate VM's over from an older installation. I was planning on adding vCenter HA at a later stage, but have to wait for some extra NIC's to facilitate this setup.
I can then install the custom certificate(s). But, if I install custom certificate(s) on the 1st vCenter, and I then in a weeks time install the 2nd vCenter with Embedded PSC, then I'm very uncertain as to what will happen.
My problem is the following. Let's say the 1st vCenter Server is installed, and I have implemented the custom certificates. When I install the 2nd vCenter Server, I join it to the Domain I created on the first vCenter Server, and I would imagine that they exchange certificates during the Join operation. So now the 1st vCenter Server have custom certificates, but the 2nd only have the automatically generated certificates it gets when installed. If I now after the installation of the 2nd vCenter Server is complete, create custom certificates on it, will that not break the replication there is between the two vCenter Servers, and the 2nd vCenter server will no longer be recognised by the SSO domain ?.
Any thoughts on the subject would be greatly appreciated, since reading the documetation have seemed very useless to me. It only describes the most basic setup, of creating custom certificates on a single vCenter Server. But since I have a multi-site setup, and want to utilise Embedded Link Mode as well, I can't find anything that explains that kind of scenario.
Regards
nhssecom