You can manage certificates for all external-facing VMware Cloud Foundation component resources, including configuring a certificate authority, generating and downloading CSRs, and installing them. This section provides instructions for using either the built-in OpenSSL Certificate Authority, which is part of SDDC Manager, or a Microsoft Certificate Authority.

You can manage the certificates for the following components.

  • vCenter Server
  • NSX Manager
  • SDDC Manager
  • vRealize Suite Lifecycle Manager
Note: VMware Cloud Foundation does not manage certificates for ESXi hosts. By default, ESXi hosts use VMCA-signed certificates, but they can also use external CA-signed certificates. If ESXi hosts are using VMCA-signed certificates, VMCA manages the certificates and certificate rotation. If ESXi hosts are using external certificates, you are responsible for managing the certificates. For more information about external certificates, see Configure ESXi Hosts with Signed Certificates.
You replace certificates for the following reasons:
  • Certificate has expired or is close to expiring.
  • Certificate has been revoked.
  • You do not want to use the default VMCA certificate.
  • Optionally, when you create a new workload domain.

However, it is recommended that you replace all certificates right after deploying VMware Cloud Foundation. After you create new workload domains, you can replace certificates for the appropriate components as needed.