You can manage certificates for all user interface and API endpoints in a VMware Cloud Foundation instance, including integrating a certificate authority, generating and submitting certificate signing requests (CSR) to a certificate authority, and downloading and installing certificates.

This section provides instructions for using either:

  • OpenSSL as a certificate authority, which is a native option in SDDC Manager.
  • Integrating with Microsoft Active Directory Certificate Services.
  • Providing signed certificates from another external Certificate Authority.

You can manage the certificates for the following components.

  • vCenter Server
  • NSX Manager
  • SDDC Manager
  • VxRail Manager
  • vRealize Suite Lifecycle Manager
    Note: Use vRealize Suite Lifecycle Manager to manage certificates for the other vRealize Suite components.

You replace certificates for the following reasons:

  • A certificate has expired or is nearing its expiration date.
  • A certificate has been revoked by the issuing certificate authority.
  • You do not want to use the default VMCA-signed certificates.
  • Optionally, when you create a new workload domain.

It is recommended that you replace all certificates after completing the deployment of the VMware Cloud Foundation management domain. After you create a new VI workload domain, you can replace certificates for the appropriate components as needed.