When you deploy multiple instances of SDDC Manager that are joined to the same Single Sign-On (SSO) domain, you must take steps to ensure that certificates are installed correctly.

By default, each vCenter Server that you deploy uses VMCA-signed certificates. VMware recommends that you replace the default VMCA-signed certificates for each management domain vCenter Server, across all SDDC Manager instances, with certificates signed by the same external Certificate Authority (CA). After you deploy a new VI workload domain in any of the SDDC Manager instances, install a certificate in the VI workload domain vCenter Server that is signed by the same external CA as the management domain vCenter Servers.

If you plan to use the default VMCA-signed certificates for each vCenter Server across all SDDC Manager instances, you must take the following steps every time an additional vCenter Server Appliance is introduced to the SSO domain by any SDDC Manager instance:
  • Import the VMCA machine certificate for the new vCenter Server Appliance into the trust store of all other SDDC Manager instances participating in that SSO domain.
An additional vCenter Server Appliance is introduced to the SSO domain when:
  • You deploy a new SDDC Manager instance that shares the same SSO domain as an existing SDDC Manager instance.
  • You deploy a new VI workload domain in any of the SDDC Manager instances that share an SSO domain.

Procedure

  1. Get the certificate for the new management or VI workload domain vCenter Server.
    1. SSH to the new vCenter Server Appliance using the root user account.
    2. Enter Shell.
    3. Retrieve the certificate from the VMware Certificate Store (VECS) and send it to an output file. 
      /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias
__MACHINE_CERT --output /tmp/<new-vcenter>.cer
  2. Copy the certificate (<new-vcenter>.cer) to a computer that has access to the SDDC Manager instance(s) to which you want to import the certificate.
  3. Import the certificate to the trust store of the SDDC Manager instance(s).
    1. Copy the certificate to the SDDC Manager appliance.
      For example, /tmp/<new-vcenter>.cer.
    2. SSH in to the SDDC Manager appliance using the vcf user account.
    3. Enter su to switch to the root user.
    4. Run the following commands: 
      trustedKey=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)
      (echo $trustedKey; sleep 1; echo "Yes") | keytool -importcert -alias <new-vcenter> -file /tmp/<newvcenter>.
cer -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
      echo "Yes" | keytool -importcert -alias <new-vcenter> -file /tmp/<new-vcenter>.cer -keystore
/etc/alternatives/jre/lib/security/cacerts --storepass changeit
    5. Validate the keystore entries. 
      keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $trustedKey
  4. Restart all SDDC Manager services on each SDDC Manager instance to which you imported a trusted certificate. 
    echo "Y" | /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh