Hi there,
Is anyone able to confirm if you have an environment with multiple platform services controller (all under the same SSO domain), do you need to setup each PSC as a Sub-CA if you intend to use say a Microsoft Certificate Authority?
Basically I have 2 vCenters and 2 Platform Services Controllers across 2 different sites all under the same SSO domain. I setup the first PSC as a sub-ca to my Microsoft PKI and everything is now signed off as I would like. In the second site, I setup the second vcenter and PSC and joined the PSC to the existing SSO domain. However, the vCenter and PSC will not sign certificates from the other PSC. It appears I have to set this PSC up as a sub-ca also. (I assume the secondary PSC does not replicate the certificate authority information from the first PSC??)
I just want to make sure this is the correct way or if I am missing something basic...
Thanks in advance for your help
Kind Regards,
Justin
Yes. You need to have the second PSC also setup as Subordinate if the first PSC is subordinate. The issuer of the vcenter certificates would be the PSC to which it is connected to so if the vc2 is pointed to psc2, it talks to vmca.. if vmca is default and not subordinate, it would not talk to psc1. it will only sign by vmca but not by subordinate CA.
Thanks,
MS
Yes. You need to have the second PSC also setup as Subordinate if the first PSC is subordinate. The issuer of the vcenter certificates would be the PSC to which it is connected to so if the vc2 is pointed to psc2, it talks to vmca.. if vmca is default and not subordinate, it would not talk to psc1. it will only sign by vmca but not by subordinate CA.
Thanks,
MS
Thanks MS, that's perfect information