After you generate certificates for management products that are signed by the two-layered certificate authority on the child AD server in the region, replace the default certificate or a certificate that is about to expire with a newly-signed one.
Replace Certificates of the Virtual Infrastructure Components for Consolidated SDDC If the user-facing certificates of the management components in the Consolidated SDDC are about to expire or are compromised, you replace them with certificates that are signed by a Microsoft or another certificate authority. You start from Platform Services Controller, vCenter Server and ESXi because these components are connected to the components in the operations management and cloud management layers.
Replace Certificates of the Cloud Management Platform Components for Consolidated SDDC After you generate signed certificates for the components of the Cloud Management Platform by using the CertGenVVD utility, replace them on these components. Update the new certificates on the management components in the Consolidated SDDC to maintain the trusted connection.
Replace Certificates of the Operations Management Components for Consolidated SDDC If the certificate of vRealize Operations Manager or vRealize Log Insight is about to expire or is compromised, replace it and update it on the management components in the Consolidated SDDC to maintain trusted connection. Generate the certificate using the CertGenVVD utility so that it is compliant with this design and with the requirements of vRealize Operations Manager.