You can generate a CSR and signed certificates, and install them for selected resource components directly in the SDDC Manager Dashboard.

Prerequisites

Procedure

  1. In the SDDC Manager Dashboard, click Inventory > Workload Domains.
    The Workload Domains page displays information for all workload domains.
  2. In the list of domains, click the name of the workload domain to open the details page for that domain.
    The workload domain details page displays CPU, memory, and storage allocated to the domain.
  3. Select the Security Tab.
    This tab lists the default certificates, among other details, for the Cloud Foundation resource components. It also provides controls for working with certificates.
    Note: You can view the current certificate and key information for a component by clicking the down-arrow icon next to the name.
  4. Generate the CSR.
    1. Use the check boxes to select the resource components for which you want to generate the CSR.
    2. Click Generate CSR.
      The Generate CSRs dialog box opens.
    3. Configure the following settings for the CSR.
      Option Description
      Algorithm Select the key type for the certificate. RSA (the default) is typically used. The key type defines the encryption algorithm for communication between the hosts.
      Key Size Select the key size (2048, 3072 or 4096 bit) from the dropdown list.
      Email Optionally, enter a contact email address.
      Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated.
      Organization Type name under which your company is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request.
      Locality Type the city or locality where your company is legally registered.
      State or Province Name Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.
      Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code.
    4. Click Generate CSR.
    The Generate CSRs dialog box closes. The Security tab displays a status of CSR Generation is in progress. When the CSR generation completes, the Generate Signed Certificates button becomes active.
  5. Generate the signed certificates.
    1. Leave all the resource components selected.
    2. Click Generate Signed Certificates.
      The Generate Signed Certificates dialog box appears, listing the selected components.
    3. For the Select Certificate Authority, select the desired authority, and click Generate Certificate.
    The Generate Signed Certificates dialog box closes. The Security tab displays a status of Certificates Generation is in progress. When the certificate generation completes, the Install Certificates button becomes active.
  6. Click Install Certificates.
    The Security tab displays a status of Certificates Installation is in progress.
    Note: As installation completes, the Certificates Installation Status column for each selected resource component in the list changes to Successful with a green check mark.
    Important: If you selected SDDC Manager as one of the resource components, you must manually restart SDDC Manager services to reflect the new certificate and to establish a successful connection between Cloud Foundation services and other resources in the management domain.
    Important: If you selected vRealize Automation as one of the resource components, you must ensure that the vRealize Automation resource root certificate is trusted by all the vRealize Automation VMs in your deployment.
  7. Restart all services using the provided sddcmanager_restart_services.sh script.
    To restart the service:
    1. Using SSH, log in to the SDDC Manager VM with the following credentials:
      Username: vcf

      Password: use the password specified in the deployment parameter sheet

    2. Enter su to switch to the root user.
    3. Run the following command:
      sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh 

What to do next

If you have replaced the certificate for the vRealize Operations Manager resource component, you must reconfigure the load balancer node. See Configure SSL Passthrough for vRealize Operations Manager.