VMware Validated Design Certificate Replacement provides step-by-step instructions about replacing certificates on all management components of a running Software-Defined Data Center (SDDC) whose design follows this VMware Validated Design™ for Management and Workload Consolidation.

In a Consolidated SDDC, the security of the environment depends on the validity and trust of the management certificates. As a best practice, you replace management certificates in the following cases:

  • Before certificates expire

  • When a certificate is compromised.

  • When the attributes related to a certificate change, for example, the host name or organization name.

The certificate replacement process consists of the following phases:

  1. Obtain certificates for the management components that are signed by a custom certificate authority (CA).

    • Use the VMware Validated Design Certificate Generation utility to automatically generate the certificates for all components.

    • Manually generate Certificate Signing Requests (CSRs) and request CA-signed certificates providing the CSRs to the CA.

  2. Replace the certificates in the live SDDC environment.

Intended Audience

The VMware Validated Design Certificate Replacement documentation is intended for infrastructure administrators who have deployed a Consolidated SDDC environment using VMware Validated Design for Management and Workload Consolidation.

Required Software

VMware Validated Design Certificate Replacement uses the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates that are signed by the Microsoft certificate authority (MSCA) for all management products.

VMware Validated Design Certificate Replacement is compliant and validated with certain product versions. See VMware Validated Design Release Notes for more information about supported product versions.