You can manage certificates for all user interface and API endpoints in a VMware Cloud Foundation instance, including integrating a certificate authority, generating and submitting certificate signing requests (CSR) to a certificate authority, and downloading and installing certificates.

This section provides instructions for using either:

  • OpenSSL as a certificate authority, which is a native option in SDDC Manager.
  • Integrating with Microsoft Active Directory Certificate Services.
  • Providing signed certificates from another external Certificate Authority.

You can manage the certificates for the following components.

  • vCenter Server
  • NSX Manager
  • SDDC Manager
  • vRealize Suite Lifecycle Manager
    Note: Use vRealize Suite Lifecycle Manager to manage certificates for the other vRealize Suite components.
Note: VMware Cloud Foundation does not manage certificates for ESXi hosts. By default, ESXi hosts use VMCA-signed certificates, but they can also use external CA-signed certificates. If ESXi hosts are using VMCA-signed certificates, VMCA manages the certificates and certificate rotation. If ESXi hosts are using external certificates, you are responsible for managing the certificates. For more information about external certificates, see Configure ESXi Hosts with Signed Certificates.

You replace certificates for the following reasons:

  • A certificate has expired or is nearing its expiration date.
  • A certificate has been revoked by the issuing certificate authority.
  • You do not want to use the default VMCA-signed certificates.
  • Optionally, when you create a new workload domain.

It is recommended that you replace all certificates after completing the deployment of the VMware Cloud Foundation management domain. After you create a new VI workload domain, you can replace certificates for the appropriate components as needed.