Configure certificate in VMware Tanzu

TASK 1: GENERATE A CSR

  1. In the vSphere Client, select your Tanzu Cluster name and select Configure > Namespaces > Certificates.
  2. In the Workload Platform MGT tile, click the Actions drop-down menu and select Generate CSR.
  3. Configure the CSR.
    NOTE:
    The value for the common name must be DNS name of your Vmware Tanzu cluster (As it can be seen picture below)
    The other values can be changed. (your values)

Parameter

Action

Common name

DNS name of your Vmware Tanzu cluster (As it can be seen picture below)

Organization

Organizational Unit

Country

State/Province

Locality

Email Address

  1. Click Next.
  2. Click Download to save the certificate signing request file to the student desktop.
  3. Click Copy to copy the contents to the clipboard.
  4. Click Finish

Not: Common name is vspherek8s.vclass.local in this example.

TASK 2: OBTAIN A SIGNED CERTIFICATE

You provide a CSR to a certificate authority to download a signed certificate.

  1. Open a browser window to your Certification service, for example http://dc.vclass.local/certsrv.
  2. Log in.
  3. Enter the user name.
  4. Enter the password.
  5. In the Microsoft Active Directory Certificate Services home page, click Request a Certificate.
  6. Click Advanced certificate request.
  7. Paste the copied contents of the CSR into the Saved Request text box.
  8. In the Certificate Template drop-down menu, select vSphere.
  9. Click Submit.
  10. Select Base 64 encoded.
  11. Click Download Certificate.

 

TASK 3: INSTALL THE CERTIFICATE AUTHORITY ROOT CERTIFICATE

You install the certificate authority root certificate into the vCenter Server trusted root store.

  1. In the vSphere Client, select Menu > Administration > Certificate Management.
  2. Click Add next to Trusted Root Certificates.
  3. In the Add Trusted Root Certificates dialog box, click Browse.
  4. Browse to your root cer file (for example MSCA_Root.cer file.)
  5. Click Open.
  6. Click Add.
    A second entry is visible in the vSphere Client under Trusted Root Certificates.

 

TASK 4: REPLACE THE CONTROL PLANE MANAGEMENT CERTIFICATE

You install a new signed certificate for the vSphere with Tanzu control plane VMs.

  1. In the vSphere Client, select Menu > Hosts and Clusters.
  2. Select your Vmware Tanzu Cluster
  3. Select Configure > Namespaces > Certificates.
  4. In the Workload Platform MGT tile, click the Actions drop-down menu and select Replace Certificate.
  5. In the Replace Certificate window, click Upload Certificate File.
  6. In the Open window, browse to your downloaded cer file in TASK 2.
  7. Click Open.
  8. Click Replace.
  9. Open a new browser tab and go to your cluster IP address with https (for example https://192.168.30.33)
    The vSphere with Tanzu control plane landing page opens.

 

Not: If you want you can login without replace certificate and if you get error “certificate signed by unknown authority”

you can login with –insecure-skip-tls-verify parameter.

for example:

kubectl vsphere login --server=192.168.30.33 --insecure-skip-tls-verify
Author: Ali YAZICI

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.