You can manage certificates for all external-facing Cloud Foundation component resources, including configuring a certificate authority, generating and downloading CSRs, and installing them. This section provides instructions for using both Microsoft and non-Microsoft certificate authorities.

You can manage the certificates for the following components.

  • Platform Services Controllers
  • vCenter Server
  • NSX Manager
  • SDDC Manager
  • vRealize Automation
  • vRealize Log Insight
  • vRealize Operations
Note: If you have errors when replacing certificates for vRealize Automation , refer to Replace the vRealize Automation Appliance Management Site Certificate in the vRealize Automation product documentation.
You replace certificates for the following reasons:
  • Certificate has expired or is close to expiring.
  • Certificate has been revoked.
  • You do not want to use the default VMCA certificate.
  • Optionally, when you create a new workload domain.

However, it is recommended that you replace all certificates right after deploying Cloud Foundation. After you create new workload domains, you can replace certificates for the appropriate components as needed.

Note: At the beginning of the certificate replacement workflow, the SDDC Manager Dashboard automatically takes a snapshot ( pre-replace-certificate) of the component resources, except for the vRealize Suite components. This enables you to rollback if the certificate replacement process fails. If the process succeeds, this snapshot is automatically deleted.
Important: Do not replace certificate if any update operations are in progress. Wait until updates complete before proceeding.