When you deploy multiple instances of SDDC Manager that are joined to the same Single Sign-On (SSO) domain, you must take steps to ensure that certificates are installed correctly.
By default, each vCenter Server that you deploy uses VMCA-signed certificates. VMware recommends that you replace the default VMCA-signed certificates for each management domain vCenter Server, across all SDDC Manager instances, with certificates signed by the same external Certificate Authority (CA). After you deploy a new VI workload domain in any of the SDDC Manager instances, install a certificate in the VI workload domain vCenter Server that is signed by the same external CA as the management domain vCenter Servers.
If you plan to use the default VMCA-signed certificates for each
vCenter Server across all
SDDC Manager instances, you must take the following steps every time an additional
vCenter Server Appliance is introduced to the SSO domain by any
SDDC Manager instance:
- Import the VMCA machine certificate for the new vCenter Server Appliance into the trust store of all other SDDC Manager instances participating in that SSO domain.
An additional
vCenter Server Appliance is introduced to the SSO domain when:
- You deploy a new SDDC Manager instance that shares the same SSO domain as an existing SDDC Manager instance.
- You deploy a new VI workload domain in any of the SDDC Manager instances that share an SSO domain.