In this design, you replace user-facing certificates in Region B with certificates that are signed by a Microsoft Certificate Authority (CA). If the CA-signed certificates of the management components expire after you deploy the SDDC, you must replace them individually on each affected component.
Replace the Platform Services Controller Certificates in Region B You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA).
Replace vCenter Server Certificates in Region B Replace the certificates on the Management vCenter Server and Compute vCenter Server in Region B and reconnect them to the other management components to update the new certificates on these components.
Replace the Default Certificate with a Custom Certificate on the ESXi Hosts in Region B After you obtain signed certificates for the management ESXi hosts in Region B, use it to replace the default VMware Certificate Authority (VMCA) signed certificates on the hosts.
Replace the NSX Manager Certificates in Region B After you replace the certificates of all Platform Services Controller instances and all vCenter Server instances, replace the certificates for the NSX Manager instances.
Replace the Certificate of vSphere Data Protection in Region B vSphere Data Protection comes with a default self-signed certificate. Install a CA-signed certificate that authenticates vSphere Data Protection over HTTPS.
Replace the VMware Site Recovery Manager Certificates After you replace the certificates of all Platform Services Controllers, vCenter Server instances and NSX Managers, replace the certificates on the Site Recovery Manager server instances.
Install the CA-Signed Certificate on vSphere Replication After you generate a PKCS#12 certificate file, replace the default VMware-signed certificate with this certificate on vSphere Replication in both regions.