Configure PSC HA in vSphere 6.5 – Part 1 – Configuring Certificates


Hello Folks,

First of all, I want to wish everybody a Happy New Year. It’s been awhile I wrote any articles because I have been testing a few things in my lab and this series is to be one of the things I was testing. So today we will be discussing on how to configure PSC HA in a vSphere 6.5 environment.

I am first going to give you run down of my environment. I have two external Platform Services Controllers (PSCs) and two vCenter Servers pointed to one of the PSCs.

  • PSC65-A.lab.local --
  • PSC65-B.lab.local --
  • VCSA65-A.lab.local --
  • VCSA65-B.lab.local --

The Virtual Machine names are pretty self-explanatory. I have the IP addresses set up as shown above. This configuration of PSC HA assumes that you have a new vSphere 6.5 environment set up.

I would also like to bring this everybody’s attention that all of the VMs are appliances and not Windows based machines. Most of the steps will be the same for Windows based PSCs as well.

There are a couple of prerequisites that I am going to show in this article as the setup is going to be very basic and there are plenty of articles available online for the same.

Firstly, you will have to install the primary external Platform Services Controller node (PSC65-A.lab.local). Then deploy the secondary SSO node (PSC65-B.lab.local) as a replication partner to the primary Platform Service Controller node.

My Load Balancer FQDN is going to be PSC-LB.lab.local with the IP Address Make sure that all of the machines are resolvable using DNS server in the domain.

Now let us move on to the main part of the PSC HA configuration wherein we need to first create a Certificate Signing Request (CSR) from one of the PSC’s.

Log in to one of the PSCs using the root credentials. Create a directory called certs under the root directory. Next step is to create a configuration file which will be used to generate the CSR, the file name will be  psc_ha_csr_cfg.cfg.

Using the vi editor, create this file and edit the subjectAltName and commonName fields.

I have highlighted them in red below. The subjectAltName should contain the FQDNs of both the PSCs and the FQDN of the Load Balancer.

The commonName field will contain the FQDN of the Load Balancer.

[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:psc65-a.lab.local, DNS:psc65-b.lab.local, DNS:psc-lb.lab.local
[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = State
localityName = City
0.organizationName = Company
organizationalUnitName = Department
commonName = psc-lb.lab.local

Save the file and run the below command to generate the CSR and the key file. The file CSR file will be called psc-ha-vip.csr and the key file will be called psc-ha-vip.key

openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg

Next step is to obtain the certificate using the CSR that was generated in the previous step.

In my environment, I am using a Microsoft Root CA and I am not going to get into the details of how to create the CA and the steps to generate the certificates.

Below is the KB article that covers those topics for those who are not aware of how to do this. Basically, create the certificate using the CSR using a pre-defined template for VMware related certificates.

Obtaining vSphere certificates from a Microsoft Certificate Authority ->

After performing the above steps, you will have two certificates that will be created. Once is the Machine_SSL certificate for the PSC and the second is the Root CA certificate.

Configure PSC HA in vSphere 6.5 - Part 1 - Configuring Certificates

Configure PSC HA in vSphere 6.5 - Part 1 - Configuring Certificates

Rename the certificate files to psc-ha-vip.crt  and CustomRootCA.crt. Upload the certificates to the PSC appliance using a utility like WinSCP.

Before opening a session to the appliance using WinSCP, run this command on the PSC so that it start a session successfully.

chsh -s root /bin/bash

We now have two certificates uploaded to the PSC appliance, run the below commands to create proper chains that we will be using to replace the existing certificate of the PSC appliances.

The below commands will give us the psc-ha-vip-chain.crt certificate.

cat /certs/psc-ha-vip.crt >> /certs/psc-ha-vip-chain.crt
cat /certs/CustomRootCA.crt >> /certs/psc-ha-vip-chain.crt

This command will give us the cachain.crt file.

cat /certs/CustomRootCA.crt >> /certs/cachain.crt

Note: If there are any intermediate certificate authorities, then you will have to run the following commands to create the cachain.crt file. Same applies to the psc-ha-vip-chain.crt as well, add the first two lines before the final line.

cat /certs/CustomInterCA1.crt >> /certs/cachain.crt
cat /certs/CustomInterCA2.crt >> /certs/cachain.crt
cat /certs/CustomRootCA.crt >> /certs/cachain.crt

We have finally reached the stage wherein we have all the files required to replace the PSC certificates. The three files that are required for the process are:

  • psc-ha-vip-chain.crt
  • cachain.crt
  • psc-ha-vip.key

Before continuing to the next step, make sure that you have these three files and are present in the /certs directory on the PSC appliance.

Moving on, let us start the Certificate-Manager utility on the Platform Services Controller using the below command.


Configure PSC HA in vSphere 6.5 - Part 1 - Configuring Certificates

Select option 1, use the default [email protected] account and provide the password for the same.

Configure PSC HA

From here select option 2 since we have already created the certificates required to replace the existing Machine SSL certificate.

Configure PSC HA in vSphere 6.5 - Part 1 - Configuring Certificates

As shown above, provide the details about the three files and hit Enter to start the certificate replacement.

If you have followed all the steps correctly, the certificate will be replaced successfully. Use the same three files and replace the certificate on the second PSC as well.

In the next post, we will be looking at how to configure the Load Balancer.

I hope this has been informative and thank you for reading!


About Author

I am Adil Arif, working as a Senior Technical Support Engineer at Rubrik as well as an independent blogger and founder of Enterprise Daddy. In my current role, I am supporting infrastructure related to Windows and VMware datacenters.


  1. Ronald de Jong on

    Hi, great series, a question I have, is it necessary to use a signed certificate from an external CA or can the “normal” self-signed certificate be used as well?

Leave A Reply