VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the new method, which is the default method for VMware Cloud Foundation 4.5.1 and later.

If you prefer to use the legacy method for installing third-party CA-signed certificates, see Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle.


  1. In the navigation pane, click Inventory > Workload Domains.
  2. On the Workload Domains page, from the table, in the domain column click the workload domain you want to view.
  3. On the domain summary page, click the Certificates tab.
  4. Generate CSR files for the target components.
    1. From the table, select the check box for the resource type for which you want to generate a CSR.
    2. Click Generate CSRs.
      The Generate CSRs wizard opens.
    3. On the Details dialog, configure the settings and click Next.




      Select the key algorithm for the certificate.

      Key Size

      Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.


      Optionally, enter a contact email address.

      Organizational Unit

      Use this field to differentiate between divisions within your organization with which this certificate is associated.

      Organization Name

      Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request.


      Type the city or locality where your company is legally registered.


      Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.


      Type the country name where your company is legally registered. This value must use the ISO 3166 country code.

    4. (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and click Next.
      You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX-T, you can enter the subject alternative name for each node along with the Virtual IP (primary) node.
      Note: Wildcard subject alternative name, such as *.example.com are not recommended.
    5. On the Summary dialog, click Generate CSRs.
  5. Download and save the CSR files by clicking Download CSR.
  6. When the downloads complete, request signed certificates from your third-party Certificate Authority for each .csr.
  7. After you receive the signed certificates, open the SDDC Manager UI and click Upload and Install.
  8. In the Install Signed Certificates dialog box, select the resource for which you want to install a signed certificate.
    The drop-down menu includes all resources for which you have generated and downloaded CSRs.
  9. Select a Source and enter the required information.
    Source Required Information
    Paste Text Copy and paste the:
    • Server Certificate
    • Certificate Authority
    Paste the server certificate and the certificate authority in PEM format (base64-encoded) . For example:
    <certificate content>
    -----END CERTIFICATE------
    If the Certificate Authority includes intermediate certificates, it should be in the following format:
    <Intermediate certificate content>
    -----END CERTIFICATE------
    <Root certificate content>
    -----END CERTIFICATE-----
    File Upload Click Browse to upload the:
    • Server Certificate
    • Certificate Authority

    Files with .crt, .cer, .pem, .p7b and .p7c extensions are supported.

    Certificate Chain Click Browse to upload the certificate chain.

    Files with .crt, .cer, .pem, .p7b and .p7c extensions are supported.

  10. Click Validate.
    If validation fails, resolve the issues and try again, or click Remove to skip the certificate installation.
  11. To install a signed certificate for another resource, click Add Another and repeat steps 8-10 for each resource.
  12. Once all signed certificates have been validated successfully, click Install.