If you intend to generate and install external or third-party certificates, you must download the certificate signing request (CSR) from SDDC Manager UI and have it manually signed by a third-party CA. You can then use the controls in SDDC Manager UI to install the certificate.
Prerequisites
- The name of the top-level directory must exactly match the name of the domain as it appears in the list on the MGMT. page. For example,
- The PEM-encoded root CA certificate chain file (rootca.crt) must reside inside this top-level directory.
The rootca.crt file contains a root certificate authority and can have N number of intermediate certificates. The file structure of the rootca.crt file must look like the following example:
-----BEGIN CERTIFICATE----- <Intermediate1 certificate content> -----END CERTIFICATE------ -----BEGIN CERTIFICATE----- <Intermediate2 certificate content> -----END CERTIFICATE------ -----BEGIN CERTIFICATE----- <Root certificate content> -----END CERTIFICATE-----
In the above example, there are two intermediate certificates, intermediate1 and intermediate2, and a root certificate. Intermediate1 must use the certificate issued by intermediate2 and intermediate2 must use the certificate issued by Root CA.
- This directory must contain one sub-directory for each component resource.
The name of each sub-directory must exactly match the resource hostname of a corresponding component as it appears in the Resource Hostname column in the
tab.For example, nsxManager.vrack.vsphere.local and vcenter-1.vrack.vsphere.local.
- Each sub-directory must contain a corresponding .crt file, whose name must exactly match the resource as it appears in the Resource Hostname column in the tab. The content of the .crt file must end with a newline character. All certificates including rootca.crt must be in UNIX file format.
For example, the nsxManager.vrack.vsphere.local sub-directory must contain the nsxManager.vrack.vsphere.local.crt file.
Procedure
What to do next
If you have replaced the certificate for the vRealize Operations Manager resource component, you must reconfigure the load balancer node. See Configure SSL Passthrough for vRealize Operations Manager.