You can specify one or more component for certificate replacement.

The management domain contains the following VMs:
  • 2 PSC VMs
  • 1 vCenter Server VM
  • 1 NSX Manager VM
  • 3 vRealize Log Insight VMs
  • 1 SDDC Manager VM
  • vRealize Operations VMs if you have installed vRealize Operations
  • vRealize Automation VMs if you have installed vRealize Automation

Each workload domain contains 1 vCenter Server VM and 1 NSX Manager VM.

It is recommended that you replace the certificates on a workload domain right after you create a new workload domain (both vCenter Server and NSX Manager).

From then on, you can replace certificates as appropriate - all certificates for the management domain or workload domain, or some certificates on one or more domain. The following sections have some example configuration files. vRealize Operations certificates are replaced automatically as part of the management domain components. You must replace vRealize Automation certificates manually after the initial certificate replacement after deployment.

Replace vCenter Server and NSX Manager Certificates on a Workload Domain

{
  "replacementScope" : {
				"replaceWorkloadDomain" : ["DomainName"],
  },
  "certificateDefaults" : {
    "countryName" : "US",
    "stateOrProvinceName" : "California",
    "localityName" : "Palo Alto",
    "organizationName" : "VMWare Inc.",
    "organizationUnitName" : "VMware IT department",
    "keySize" : 4096
  }
}

You can specify more than one workload domain.

Replace vRealize Log Insight Certificates on the Management Domain

{
  "replacementScope" : {
    "replaceManagementDomain" : true,
    "replaceComponents" : ["LOGINSIGHT"]
  },
  "certificateDefaults" : {
    "countryName" : "US",
    "stateOrProvinceName" : "California",
    "localityName" : "Palo Alto",
    "organizationName" : "VMWare Inc.",
    "organizationUnitName" : "VMware IT department",
    "keySize" : 4096
  }
}

Replace NSX Manager Certificate on a Workload Domain

{
  "replacementScope" : {
				"replaceWorkloadDomain" : ["DomainName"],
    "replaceComponents" : ["NSX"]
  },
  "certificateDefaults" : {
    "countryName" : "US",
    "stateOrProvinceName" : "California",
    "localityName" : "Palo Alto",
    "organizationName" : "VMWare Inc.",
    "organizationUnitName" : "VMware IT department",
    "keySize" : 4096
  }
}

You can specify more than one workload domain.