By default, virtual infrastructure management components use TLS/SSL certificates that are signed by the VMware Certificate Authority (VMCA). These certificates are not trusted by end-user devices. For example, a certificate warning might appear when a user connects to a vCenter Server system by using the vSphere Web Client.

Infrastructure administrators connect to SDDC components, such as vCenter Server, from a Web browser. The authenticity of the network node to which the administrator connects must be confirmed with a valid TLS/SSL certificate.

In this design, you replace user-facing certificates with certificates that are signed by a Microsoft Certificate Authority (CA). You can use other certificate authorities according to the requirements of your organization. You do not replace certificates for machine-to-machine communication. If necessary, you can manually mark these certificates as trusted.

In a dual-region SDDC deployment, you must replace certificates in both regions for the following VMware products:

  • vCenter Server system in both management pod and shared edge and compute pod

  • VMware NSX Manager in both management pod and shared edge and compute pod

  • VMware Site Recovery Manager

  • VMware vSphere Replication

  • vSphere Data Protection

Method of Certificate Generation

You use the VMware Validated Design Certificate Generation (CertGenVVD) utility for automatic generation of Certificate Signing Requests (CSRs)and CA-signed certificate files for all VMware management products that are deployed in this validated design. For more information about using the CertGenVVD utility, see the VMware Validated Design Planning and Preparation documentation and VMware Knowledge Base article 2146215.

Product Order for Certificate Replacement

After you generate the certificates by using the CertGenVVD utility, replace them on the virtual infrastructure products as follows:

Location

Replacement Order

Replace only in Region B

  1. Management Platform Services Controller

  2. Management vCenter Server

  3. Management NSX Manager

  4. Compute Platform Services Controller

  5. Compute vCenter Server

  6. Compute NSX Manager

  7. vSphere Data Protection

Replace in both Region A and Region B

  1. Site Recovery Manager

  2. vSphere Data Protection