When you deploy multiple instances of SDDC Manager that are joined to the same Single Sign-On (SSO) domain, you must take steps to ensure that certificates are installed correctly.
Note: In
VMware Cloud Foundation 4.5, the ability to join multiple
VMware Cloud Foundation instances to the same vCenter Single Sign-On domain is deprecated.
By default, each
vCenter Server that you deploy uses VMCA-signed certificates. VMware recommends that you replace the default VMCA-signed certificates for each management domain
vCenter Server, across all
SDDC Manager instances, with certificates signed by the same external Certificate Authority (CA). After you deploy a new VI workload domain in any of the
SDDC Manager instances, install a certificate in the VI workload domain
vCenter Server that is signed by the same external CA as the management domain
vCenter Servers.
If you plan to use the default VMCA-signed certificates for each
vCenter Server across all
SDDC Manager instances, you must take the following steps every time an additional
vCenter Server Appliance is introduced to the SSO domain by any
SDDC Manager instance:
- Import the VMCA machine certificate for the new vCenter Server Appliance into the trust store of all other SDDC Manager instances participating in that SSO domain.
An additional
vCenter Server Appliance is introduced to the SSO domain when:
- You deploy a new SDDC Manager instance that shares the same SSO domain as an existing SDDC Manager instance.
- You deploy a new VI workload domain in any of the SDDC Manager instances that share an SSO domain.