The Certificate Replacement documentation provides step-by-step instructions for replacing certificates on all management components of a running Software-Defined Data Center (SDDC) whose design follows this VMware Validated Design™ for Software-Defined Data Center.

In an SDDC, the security of the environment depends on the validity and trust of the management certificates. As a best practice, you replace management certificates in the following cases:

  • Before certificates expire.
  • When a certificate is compromised.
  • When the attributes related to a certificate change.

The certificate replacement process consists of the following phases:

  1. Obtain certificates for the management components that are signed by a custom certificate authority (CA)
    1. Use the VMware Validated Design Certificate Generation utility to automatically generate the certificates for all components.
    2. Manually generate Certificate Signing Requests (CSRs) and request CA-signed certificates providing the CSRs to the CA.
  2. Replace the certificates in the live SDDC environment.

Intended Audience

The VMware Validated Design Certificate Replacement documentation is intended for cloud architects, infrastructure administrators, cloud administrators and cloud operators who are familiar with and want to use VMware software to deploy in a short time and manage an SDDC that meets the requirements for capacity, scalability, backup and restore, and disaster recovery.

Supported VMware Cloud Foundation Version

Certificate Replacement is compatible with VMware Cloud Foundation™ 4.1.

Required VMware Software on VMware Cloud Foundation

Certificate Replacement is compliant and validated with certain VMware Workspace ONE Access and vRealize Suite product versions on VMware Cloud Foundation. See VMware Validated Design Release Notes.

Before You Apply This Guidance

You apply the instructions in Certificate Replacement on environment with a certain configuration. Following the prescriptive path of VMware Validated Design, you deploy the virtual infrastructure of the management domain and workload domains by using VMware Cloud Foundation, then manually adding a region-specific Workspace ONE Access instance for central user management in NSX-T. Then, you use vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode to deploy the vRealize Suite components. For information on the deployment workflow of the SDDC components, see Deployment of VMware Validated Design in Introducing VMware Validated Design.

VMware Validated Design follows an example naming convention. The naming provides uniqueness of the objects across the SDDC. You can identify managed objects directly if you use many components that are linked together, for example, multiple vCenter Server systems working in Enhanced Linking Mode or management dashboards in vRealize Operations Manager monitoring multiple instances of the same component. For information on the naming convention, see Planning and Preparation Workbook.

Table 1. SDDC Management Components in VMware Validated Design
Domain Management Component Deployment Method
Management domain VMware ESXi™ hosts Manual deployment
VMware vCenter Server® Automated deployment by using Cloud Builder
NSX-T Manager and NSX-T Edge nodes with a region-specific and cross-region virtual network segments Automated deployment by using Cloud Builder
VMware vSAN™ as principal storage Automated deployment by using Cloud Builder
NFS as supplemental storage Manual deployment
VMware Cloud Foundation® SDDC Manager™ Automated deployment by using Cloud Builder
Region-specific Workspace ONE Access instance connected to NSX-T and vRealize Log Insight Manual deployment
vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode Automated deployment by using SDDC Manager
Cross-region Workspace ONE Access instance connected to vRealize Operations Manager, vRealize Log Insight, and vRealize Automation Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode
VMware vRealize® Operations Manager™ Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode
VMware vRealize® Log Insight™ Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode
VMware vRealize® Automation™ Manual deployment by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode
Virtual infrastructure workload domain or vSphere with Tanzu workload domain ESXi hosts Manual deployment
vCenter Server Automated deployment by using SDDC Manager
NSX-T Manager and NSX-T Edge nodes Automated deployment by using SDDC Manager
Principal storage Automated deployment by using SDDC Manager
Supplemental storage Manual deployment

To use this document, you must be acquainted with the following guidance:

  • Introducing VMware Validated Designs
  • Optionally, the following architecture and design documentation:
    • Architecture and Design for the Management Domain
    • Architecture and Design for a Virtual Infrastructure Workload Domain or Architecture and Design for a vSphere with with Tanzu Workload Domain
    • Architecture and Design for Cloud Operations and Automation
  • Planning and Preparation Workbook
  • Deployment of the Management Domain in the First Region
  • Deployment of a Virtual Infrastructure Workload Domain in the First Region or Deployment of a vSphere with Tanzu Workload Domain in the First Region
  • Deployment of Cloud Operations and Automation in the First Region

See Documentation Map for VMware Validated Design.

The same requirement applies if you are following the VMware Cloud Foundation documentation to deploy the operations and automation solutions. See the VMware Cloud Foundation documentation.