If you intend to generate and install non-Microsoft CA certificates, you must download the certificate signing request (CSR) from the SDDC Manager Dashboard and have it manually signed by a third-party CA. You can then use the controls in the SDDC Manager Dashboard to install the certificate.

Prerequisites

Verify that you have configured and packaged your certificate authority configuration files in the form of a .tar.gz file. The contents of this archive must adhere to the following structure:

  • The name of the top-level directory must exactly match the name of the domain as it appears in the list on the Inventory > Workload Domains page. For example, MGMT.

  • The PEM-encoded root CA certificate chain file (rootca.crt) must reside inside this top-level directory.

  • This directory must contain one sub-directory for each component resource.

    The name of each sub-directory must exactly match the resource hostname of a corresponding component as it appears in the Resource Hostname column in the Workload Domains > Security tab.

    For example, nsxManager.vrack.vsphere.local, vcenter-1.vrack.vsphere.local, and so on.

  • Each sub-directory must contain a corresponding .csr file, whose name must exactly match the resource as it appears in the Resource Type column in the Workload Domains > Security tab.

    For example, the nsxManager.vrack.vsphere.local sub-directory would contain the nsxManager.vrack.vsphere.local.csr file.

  • Each sub-directory must contain a corresponding .crt file, whose name must exactly match the resource as it appears in the Resource Type column in the Workload Domains > Security tab.

    For example, the nsxManager.vrack.vsphere.local sub-directory would contain the nsxManager.vrack.vsphere.local.crt file.

Note:

All resource and hostname values can be found in the list on the Inventory > Workload Domains > Securitytab.

Procedure

  1. In the SDDC Manager Dashboard, navigate to Inventory > Workload Domains.

    The Workload Domains page displays information for all workload domains.

  2. In the list of domains, click the name of the workload domain to open the details page for that domain.

    The workload domain details page displays CPU, memory, and storage allocated to the domain.

  3. Select the Security Tab.

    This tab lists the default certificates, among other details, for the Cloud Foundation resource components. It also provides controls for working with certificates.

    Note:

    You can view the current certificate and key information for a component by clicking the down-arrow icon next to the name.

  4. Generate the CSR.
    1. Use the check boxes to select the resource components for which you want to generate the CSR.
    2. Click Generate CSR.

      The Generate CSRs dialog box opens.

    3. Configure the following settings for the CSR.

      Option

      Description

      Algorithm

      Select the key type for the certificate. RSA (the default) is typically used. The key type defines the encryption algorithm for communication between the hosts.

      Key Size

      Select the key size (2048, 3072 or 4096 bit) from the dropdown list.

      Email

      Optionally, enter a contact email address.

      Organization Unit

      Use this field to differentiate between divisions within your organization with which this certificate is associated.

      Organization

      Type name under which your company is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request.

      Locality

      Type the city or locality where your company is legally registered.

      State or Province Name

      Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.

      Country

      Type the country name where your company is legally registered. This value must use the ISO 3166 country code.

    4. Click Generate CSR.

    The Generate CSRs dialog box closes. The Security tab displays a status of CSR Generation is in progress. When CSR generation is complete, the Download CSR button becomes active.

  5. Click Download CSR to download and save the CSR files to the directory structure described in the Prerequisites section above.
  6. External to the SDDC Manager Dashboard, complete the following tasks:
    1. Verify that the different .csr files have successfully generated and are allocated in the required file structure.
    2. Get the certificate requests signed.

      This will create the corresponding .crt files.

    3. Verify that the newly acquired .crt files are correctly named and allocated in the required file structure.
    4. Package the file structure as <domain name>.tar.gz.
  7. Click Upload and Install.
  8. In the Upload and Install Certificates dialog box, click Browse to locate and select the newly created <domain name>.tar.gz file.

    After you select the file, the Upload button becomes active.

  9. Click Upload.

    When upload is complete, the Install Certificate button becomes active.

  10. Click Install Certificate.

    The Security tab displays a status of Certificates Installation is in progress.

    Note:

    As installation completes, the Certificates Installation Status column for the affected components in the list changes to Successful with a green check mark.

    Important:

    If you selected SDDC Manager as one of the resource components, you must manually restart SDDC Manager services to reflect the new certificate and to establish a successful connection between Cloud Foundation services and other resources in the management domain.

    Important:

    If you selected vRealize Automation as one of the resource components, you must ensure that the vRealize Automation resource root certificate is trusted by all the vRealize Automation VMs in your deployment.

  11. Restart all services using the provided sddcmanager_restart_services.sh script.

    To restart the service:

    1. Using SSH, log in to the SDDC Manager VM with the following credentials:

      Username: vcf

      Password: use the password specified in the deployment parameter sheet

    2. Enter su to switch to the root user.
    3. Run the following command:
      sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh 

What to do next

If you have replaced the certificate for the vRealize Operations Manager resource component, you must reconfigure the load balancer node. See Configure SSL Passthrough for vRealize Operations Manager.