If you intend to generate and install external or third-party certificates, you must download the certificate signing request (CSR) from the SDDC Manager Dashboard and have it manually signed by a third-party CA. You can then use the controls in the SDDC Manager Dashboard to install the certificate.

Prerequisites

Verify that you have configured and packaged your certificate authority configuration files in the form of a <domain_name>.tar.gz file. The contents of this archive must adhere to the following structure:
  • The name of the top-level directory must exactly match the name of the domain as it appears in the list on the Inventory > Workload Domains page. For example, MGMT.
  • The PEM-encoded root CA certificate chain file (rootca.crt) must reside inside this top-level directory.

    The rootca.crt file contains a root certificate authority and can have N number of intermediate certificates. The file structure of the rootca.crt file must look like the following example:

    -----BEGIN CERTIFICATE-----
    <Intermediate1 certificate content>
    -----END CERTIFICATE------
    -----BEGIN CERTIFICATE-----
    <Intermediate2 certificate content>
    -----END CERTIFICATE------
    -----BEGIN CERTIFICATE-----
    <Root certificate content>
    -----END CERTIFICATE-----

    In the above example, there are two intermediate certificates, intermediate1 and intermediate2, and a root certificate. Intermediate1 must use the certificate issued by intermediate2 and intermediate2 must use the certificate issued by Root CA.

  • This directory must contain one sub-directory for each component resource.

    The name of each sub-directory must exactly match the resource hostname of a corresponding component as it appears in the Resource Hostname column in the Workload Domains > Security tab.

    For example, nsxManager.vrack.vsphere.local, vcenter-1.vrack.vsphere.local, and so on.

  • Each sub-directory must contain a corresponding .crt file, whose name must exactly match the resource as it appears in the Resource Hostname column in the Workload Domains > Security tab. The content of the .crt file must end with a newline character. All certificates including rootca.crt must be in UNIX file format.

    For example, the nsxManager.vrack.vsphere.local sub-directory would contain the nsxManager.vrack.vsphere.local.crt file.

  • Additional requirements for NSX-T certificates are listed below.
    • Server certificate (NSXT_FQDN.crt) must contain the Basic Constraints field with value CA:FALSE.
    • Root CA certificate chain file (rootca.crt), intermediate certificates, and root certificate must contain the Basic Constraints field with value CA:TRUE.
    • If the NSX-T certificate contains HTTP or HTTPS based CRL Distribution Point it must be reachable from the server.
    • The extended key usage (EKU) of the generated certificate must contain the EKU of the CSR generated.
Note: All resource and hostname values can be found in the list on the Inventory > Workload Domains > Security tab.

Procedure

  1. In the SDDC Manager Dashboard, navigate to Inventory > Workload Domains.
    The Workload Domains page displays information for all workload domains.
  2. In the list of domains, click the name of the workload domain to open the details page for that domain.
    The workload domain details page displays CPU, memory, and storage allocated to the domain.
  3. Select the Security Tab.
    This tab lists the default certificates, among other details, for the Cloud Foundation resource components. It also provides controls for working with certificates.
    Note: You can view the current certificate and key information for a component by clicking the down-arrow icon next to the name.
  4. Generate the CSR.
    1. Use the check boxes to select the resource components for which you want to generate the CSR.
    2. Click Generate CSR.
      The Generate CSRs dialog box opens.
    3. Configure the following settings for the CSR.
      Option Description
      Algorithm Select the key type for the certificate. RSA (the default) is typically used. The key type defines the encryption algorithm for communication between the hosts.
      Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.
      Email Optionally, enter a contact email address.
      Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated.
      Organization Type name under which your company is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request.
      Locality Type the city or locality where your company is legally registered.
      State or Province Name Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.
      Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code.
    4. Click Generate CSR.
    The Generate CSRs dialog box closes. The Security tab displays a status of CSR Generation is in progress. When CSR generation is complete, the Download CSR button becomes active.
  5. Click Download CSR to download and save the CSR files to the directory structure described in the Prerequisites section above.
  6. External to the SDDC Manager Dashboard, complete the following tasks:
    1. Verify that the different .csr files have successfully generated and are allocated in the required file structure.
    2. Get the certificate requests signed.
      This will create the corresponding .crt files.
    3. Verify that the newly acquired .crt files are correctly named and allocated in the required file structure.
    4. Package the file structure as <domain name>.tar.gz. The <domain name> folder must include the rootca.crt file.
  7. Click Upload and Install.
  8. In the Upload and Install Certificates dialog box, click Browse to locate and select the newly created <domain name>.tar.gz file.
    After you select the file, the Upload button becomes active.
  9. Click Upload.
    When upload is complete, the Install Certificate button becomes active.
  10. Click Install Certificate.
    The Security tab displays a status of Certificates Installation is in progress.
    Note: As installation completes, the Certificates Installation Status column for the affected components in the list changes to Successful with a green check mark.
    Important: If you selected SDDC Manager as one of the resource components, you must manually restart SDDC Manager services to reflect the new certificate and to establish a successful connection between VMware Cloud Foundation services and other resources in the management domain.
  11. Restart all services using the provided sddcmanager_restart_services.sh script.
    To restart the service:
    1. Using SSH, log in to the SDDC Manager VM with the following credentials:
      User name: vcf

      Password: use the password specified in the deployment parameter workbook.

    2. Enter su to switch to the root user.
    3. Run the following command:
      sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh