VMware Cloud Foundation supports the ability to install third-party certificates. You must download the certificate signing request (CSR) from SDDC Manager and then have it signed by a third-party Certificate Authority. You can then use the controls in the SDDC Manager UI to install the certificate.

Prerequisites

Uploading CA-Signed certificates from a Third Party Certificate Authority requires that you collect the relevant certificate files in the correct format and then create a single .tar.gz file with the contents. It's important that you create the correct directory structure within the .tar.gz file as follows:

  • The name of the top-level directory must exactly match the name of the workload domain as it appears in the list on the Inventory > Workload Domains page. For example, sfo-m01.

    • The root CA certificate chain file (must be named rootca.crt) must reside inside this top-level directory. The rootca.crt chain file contains a root certificate authority and can have n number of intermediate certificates.

    • This directory must contain one sub-directory for each component resource for which you want to replace the certificates.

  • Each sub-directory must exactly match the resource hostname of a corresponding component as it appears in the Resource Hostname column in the Workload Domains > Security tab.

    • Each sub-directory must contain the corresponding .csr file, whose name must exactly match the resource as it appears in the Resource Hostname column in the Workload Domains > Security tab.

    • Each sub-directory must contain a corresponding .crt file, whose name must exactly match the resource as it appears in the Resource Hostname column in the Workload Domains > Security tab.

Note:

All resource and hostname values can be found in the list on the Inventory > Workload Domains > Security tab.

Procedure

  1. In the navigation pane, click Inventory > Workload Domains.
  2. On the Workload Domains page, from the table, in the domain column click the workload domain you want to view.
  3. On the domain summary page, click the Security tab.
  4. Generate CSR files for the target components.
    1. From the table, select the check box for the resource type for which you want to generate a CSR.
    2. Click Generate CSRs.
      The Generate CSRs wizard opens.
    3. On the Details dialog, configure the settings and click Next.

      Option

      Description

      Algorithm

      Select the key algorithm for the certificate.

      Key Size

      Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.

      Email

      Optionally, enter a contact email address.

      Organizational Unit

      Use this field to differentiate between divisions within your organization with which this certificate is associated.

      Organization Name

      Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request.

      Locality

      Type the city or locality where your company is legally registered.

      State

      Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.

      Country

      Type the country name where your company is legally registered. This value must use the ISO 3166 country code.

    4. (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and click Next.
      You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX-T, you can enter the subject alternative name for each node along with the Virtual IP (master) node.
      Note: Wildcard subject alternative name, such as *.example.com are not recommended.
    5. On the Summary dialog, click Generate CSRs.
  5. Download and save the CSR files to the directory by clicking Download CSR.
  6. Complete the following tasks outside of the SDDC Manager UI:
    1. Verify that the different .csr files have successfully generated and are allocated in the required directory structure.
    2. Request signed certificates from a Third-party Certificate authority for each .csr.
    3. Verify that the newly acquired .crt files are correctly named and allocated in the required directory structure.
    4. Create a new .tar.gz file of the directory structure ready for upload to SDDC Manager. For example: <domain name>.tar.gz.
  7. Click Upload and Install.
  8. In the Upload and Install Certificates dialog box, click Browse to locate and select the newly created <domain name>.tar.gz file and click Open.
  9. Click Upload.
  10. If the upload is successful, click Install Certificate. The Security tab displays a status of Certificate Installation is in progress.