In a dual-region environment, you first replace the certificates of the SDDC components in Region A. Create and Add a Microsoft Certificate Authority Template for Consolidated SDDCThe first step in certificate generation and replacement is setting up a Microsoft Certificate Authority template on the Active Directory (AD) servers for the region. The template contains the certificate authority (CA) attributes for signing certificates of VMware SDDC solutions. After you create the new template, you add it to the certificate templates of the Microsoft CA. Generate MSCA-Signed Certificates for the SDDC Management Components for Consolidated SDDCUse the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates signed by the Microsoft certificate authority (MSCA) for all management products with a single operation. Generate Certificate Signing Requests and Certificates from a Third-Party CA for Consolidated SDDCUse the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificate signing request (CSR) files that you can send to a third-party certificate authority and receive CA-signed certificates for the management components. Replace Certificates of the Virtual Infrastructure Components for Consolidated SDDCIn this design, you replace user-facing certificates with certificates signed by a Microsoft Certificate Authority (CA). If the CA-signed certificates of the management components expire after you deploy the SDDC, you must replace them individually on each affected component. Replace Certificates of the Operations Management Components for Consolidated SDDCIf the certificate of vRealize Operations Manager or vRealize Log Insight expires, replace it and update it on the management components in the region to maintain secure connection. Replace Certificates of the Cloud Management Platform Components for Consolidated SDDCAfter you generate signed certificates for the Cloud Management Platform, replace them and update them on the management components in the region to maintain secure connection.
