Install Certificates with External or Third-Party Certificate Authorities

If you intend to generate and install external or third-party certificates, you must download the certificate signing request (CSR) from SDDC Manager UI and have it manually signed by a third-party CA. You can then use the controls in SDDC Manager UI to install the certificate.

Prerequisites

Verify that you have configured and packaged your certificate authority configuration files in the form of a <domain_name>.tar.gz file. The contents of this archive must adhere to the following structure:

The name of the top-level directory must exactly match the name of the domain as it appears in the list on the Inventory > Workload Domains page. For example, MGMT.
The PEM-encoded root CA certificate chain file (rootca.crt) must reside inside this top-level directory.
The rootca.crt file contains a root certificate authority and can have N number of intermediate certificates. The file structure of the rootca.crt file must look like the following example:
```
-----BEGIN CERTIFICATE-----
<Intermediate1 certificate content>
-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----
<Intermediate2 certificate content>
-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----
<Root certificate content>
-----END CERTIFICATE-----
```
In the above example, there are two intermediate certificates, intermediate1 and intermediate2, and a root certificate. Intermediate1 must use the certificate issued by intermediate2 and intermediate2 must use the certificate issued by Root CA.
This directory must contain one sub-directory for each component resource.
The name of each sub-directory must exactly match the resource hostname of a corresponding component as it appears in the Resource Hostname column in the Workload Domains > Security tab.

For example, nsxManager.vrack.vsphere.local and vcenter-1.vrack.vsphere.local.
Each sub-directory must contain a corresponding .crt file, whose name must exactly match the resource as it appears in the Resource Hostname column in the Workload Domains > Security tab. The content of the .crt file must end with a newline character. All certificates including rootca.crt must be in UNIX file format.
For example, the nsxManager.vrack.vsphere.local sub-directory must contain the nsxManager.vrack.vsphere.local.crt file.

Note: All resource and hostname values can be found in the list on the Inventory > Workload Domains > Securitytab.

Procedure

In the navigation pane, click Inventory > Workload Domains.
On the Workload Domains page, click View Details.
Click a workload domain name and then click the Security tab.

Generate the CSR.

From the table, select the check box for the resource type for which you want to generate a CSR.
Click Generate CSR.

Configure the settings and click Generate CSR.


Option	Description
Algorithm	Select the key algorithm for the certificate.
Key Size	Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.
Email	Optionally, enter a contact email address.
Organizational Unit	Use this field to differentiate between divisions within your organization with which this certificate is associated.
Organization	Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request.
Locality	Type the city or locality where your company is legally registered.
State	Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.
Country	Type the country name where your company is legally registered. This value must use the ISO 3166 country code.

When CSR generation is complete, the Download CSR button becomes active.

Click Download CSR to download and save the CSR files to the directory structure described in the Prerequisites section above.
External to SDDC Manager UI, complete the following tasks:
1. Verify that the different .csr files have successfully generated and are allocated in the required file structure.
2. Get the certificate requests signed.
  This creates the corresponding .crt files.
3. Verify that the newly acquired .crt files are correctly named and allocated in the required file structure.
4. Package the file structure as <domain name>.tar.gz.
Click Upload and Install.
In the Upload and Install Certificates dialog box, click Browse to locate and select the newly created <domain name>.tar.gz file.
After you select the file, the Upload button becomes active.
Click Upload.
When the upload is completed, the Install Certificate button becomes active.
Click Install Certificate.
The Security tab displays a status of Certificates Installation is in progress.
Note: As the installation is completed, the Certificates Installation Status column for the affected components in the list changes to Successful with a green check mark.

Important: If you selected SDDC Manager as one of the resource components, you must manually restart SDDC Manager services to reflect the new certificate and to establish a successful connection between VMware Cloud Foundation services and other resources in the management domain.

Important: If you selected vRealize Automation as one of the resource components, you must ensure that all the vRealize Automation VMs in your deployment trust the vRealize Automation resource root certificate.
Restart all services using the provided sddcmanager_restart_services.sh script once the certificate replacement workflow is completed successfully.
To restart the service:
1. Using SSH, log in to the SDDC Manager appliance with the following credentials:
  Username: vcf
  Password: use the password provided in the deployment parameter sheet
2. Enter su to switch to the root user.
3. Run the following command:
```
sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh 
```

What to do next

If you have replaced the certificate for the vRealize Operations Manager resource component, you must reconfigure the load balancer node. See Configure SSL Passthrough for vRealize Operations Manager.