The Certificate Replacement documentation provides step-by-step instructions for replacing certificates on all management components of a running Software-Defined Data Center (SDDC) whose design follows this VMware Validated Design™ for Software-Defined Data Center.
In an SDDC, the security of the environment depends on the validity and trust of the management certificates. As a best practice, you replace management certificates in the following cases:
- Before certificates expire.
- When a certificate is compromised.
- When the attributes related to a certificate change.
The certificate replacement process consists of the following phases:
- Obtain certificates for the management components that are signed by a custom certificate authority (CA)
- Use the VMware Validated Design Certificate Generation utility to automatically generate the certificates for all components.
- Manually generate Certificate Signing Requests (CSRs) and request CA-signed certificates providing the CSRs to the CA.
- Replace the certificates in the live SDDC environment.
The VMware Validated Design Certificate Replacement documentation is intended for cloud architects, infrastructure administrators, cloud administrators and cloud operators who are familiar with and want to use VMware software to deploy in a short time and manage an SDDC that meets the requirements for capacity, scalability, backup and restore, and disaster recovery.
Supported VMware Cloud Foundation Version
Certificate Replacement is compatible with VMware Cloud Foundation™ 4.1.
Required VMware Software on VMware Cloud Foundation
Certificate Replacement is compliant and validated with certain VMware Workspace ONE Access and vRealize Suite product versions on VMware Cloud Foundation. See VMware Validated Design Release Notes.
Before You Apply This Guidance
You apply the instructions in Certificate Replacement on environment with a certain configuration. Following the prescriptive path of VMware Validated Design, you deploy the virtual infrastructure of the management domain and workload domains by using VMware Cloud Foundation, then manually adding a region-specific Workspace ONE Access instance for central user management in NSX-T. Then, you use vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode to deploy the vRealize Suite components. For information on the deployment workflow of the SDDC components, see Deployment of VMware Validated Design in Introducing VMware Validated Design.
VMware Validated Design follows an example naming convention. The naming provides uniqueness of the objects across the SDDC. You can identify managed objects directly if you use many components that are linked together, for example, multiple vCenter Server systems working in Enhanced Linking Mode or management dashboards in vRealize Operations Manager monitoring multiple instances of the same component. For information on the naming convention, see Planning and Preparation Workbook.
|Domain||Management Component||Deployment Method|
|Management domain||VMware ESXi™ hosts||Manual deployment|
|VMware vCenter Server®||Automated deployment by using Cloud Builder|
|NSX-T Manager and NSX-T Edge nodes with a region-specific and cross-region virtual network segments||Automated deployment by using Cloud Builder|
|VMware vSAN™ as principal storage||Automated deployment by using Cloud Builder|
|NFS as supplemental storage||Manual deployment|
|VMware Cloud Foundation® SDDC Manager™||Automated deployment by using Cloud Builder|
|Region-specific Workspace ONE Access instance connected to NSX-T and vRealize Log Insight||Manual deployment|
|vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode||Automated deployment by using SDDC Manager|
|Cross-region Workspace ONE Access instance connected to vRealize Operations Manager, vRealize Log Insight, and vRealize Automation||Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode|
|VMware vRealize® Operations Manager™||Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode|
|VMware vRealize® Log Insight™||Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode|
|VMware vRealize® Automation™||Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode|
|Virtual infrastructure workload domain or vSphere with Tanzu workload domain||ESXi hosts||Manual deployment|
|vCenter Server||Automated deployment by using SDDC Manager|
|NSX-T Manager and NSX-T Edge nodes||Automated deployment by using SDDC Manager|
|Principal storage||Automated deployment by using SDDC Manager|
|Supplemental storage||Manual deployment|
To use this document, you must be acquainted with the following guidance:
- Introducing VMware Validated Designs
- Optionally, the following architecture and design documentation:
- Architecture and Design for the Management Domain
- Architecture and Design for a Virtual Infrastructure Workload Domain or Architecture and Design for a vSphere with with Tanzu Workload Domain
- Architecture and Design for Cloud Operations and Automation
- Planning and Preparation Workbook
- Deployment of the Management Domain in the First Region
- Deployment of a Virtual Infrastructure Workload Domain in the First Region or Deployment of a vSphere with Tanzu Workload Domain in the First Region
- Deployment of Cloud Operations and Automation in the First Region
The same requirement applies if you are following the VMware Cloud Foundation documentation to deploy the operations and automation solutions. See the VMware Cloud Foundation documentation.