You design authentication access, controls, and certificate management for the SDDC Manager according to industry standards and the requirements of your organization.

Identity Management

Users can log in to SDDC Manager only if they are granted access by using vCenter Single Sign-On. These users can be local users created in the associated vCenter Single Sign-On domain or domain users imported from Microsoft Active Directory or OpenLDAP into the associated vCenter Single Sign-On domain.

For more information about Identity Access and Management design for SDDC Manager, see Identity and Access Management for VMware Cloud Foundation.

Certificate Management

You access all SDDC Manager interfaces over SSL connection. By default, SDDC Manager uses a certificate that is signed by the VMware Certificate Authority (VMCA). To provide secure access to the SDDC Manager appliance, replace the default certificate with a certificate that is signed by a trusted CA.

Table 1. Design Decisions on Certificate Management for SDDC Manager

Decision ID

Design Decision

Design Justification

Design Implication


Replace the default VMCA-signed certificate of the SDDC Manager appliance with a CA-signed certificate.

Ensures that the communication to the externally facing Web user interface and API of SDDC Manager is encrypted.

Replacing the default certificate with a trusted CA-signed certificate from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered.


Use a SHA-2 algorithm or stronger for signed certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.