Administering VCF (Chap3-4) PDF

Summary

This document provides instructions for configuring the Customer Experience Improvement Program (CEIP) settings and managing certificates within VMware Cloud Foundation. It covers topics like activating/deactivating CEIP, managing certificates using the SDDC Manager UI, and integrating with Microsoft Active Directory Certificate Services.

Full Transcript

Configure the Customer Experience Improvement Program Settings for VMware Cloud Foundation
VMware Cloud Foundation participates in the VMware Customer Experience Improvement Program (CEIP).
You can choose to activate or deactivate CEIP for your VMware Cloud Foundation instance.
The Customer Experience Improvement Program provides VMware with information that allows VMware to
improve its products and services, to fix problems, and to advise you on how best to deploy and use our
products. As part of the CEIP, VMware collects technical information about your organization’s use of the
VMware products and services regularly in association with your organization’s VMware license keys. This
information does not personally identify any individual. For additional information regarding the CEIP, refer to
the Trust & Assurance Center at http://www.vmware.com/trustvmware/ceip.html.
You can activate or deactive CEIP across all the components deployed in VMware Cloud Foundation by the
following methods:
 When you log into SDDC Manager for the first time, a pop-up window appears. The Join the VMware
Customer Experience Program option is selected by default. Deselect this option if you do not want to join
CEIP. Click Apply.

 You can activate or deactivate CEIP from the Administration tab in the SDDC Manager UI.
Procedure
1. In the navigation pane, click Administration > VMware CEIP.
2. To activate CEIP, select the Join the VMware Customer Experience Improvement Program option.
3. To deactivate CEIP, deselect the Join the VMware Customer Experience Improvement
Program option.
Managing Certificates in VMware Cloud Foundation
You can use the SDDC Manager UI to manage certificates in a VMware Cloud Foundation instance, including
integrating a certificate authority, generating and submitting certificate signing requests (CSR) to a certificate
authority, and downloading and installing certificates.
Starting with VMware Cloud Foundation 5.2.1, you can also manage certificates using the vSphere Client.
This section provides instructions for the SDDC Manager UI to:
 Use OpenSSL as a certificate authority, which is a native option in SDDC Manager.
 Integrate with Microsoft Active Directory Certificate Services.
 Provide signed certificates from another external Certificate Authority.
You can manage the certificates for the following components.
 vCenter Server
 NSX Manager
 VMware Avi Load Balancer (formerly known as NSX Advanced Load Balancer)
 SDDC Manager
 VMware Aria Suite Lifecycle
 Note: Use VMware Aria Suite Lifecycle to manage certificates for the other VMware Aria
Suite components.
Note: VMware Cloud Foundation does not manage certificates for ESXi hosts. By default, ESXi hosts use
VMCA-signed certificates, but they can also use external CA-signed certificates. If ESXi hosts are using
VMCA-signed certificates, VMCA manages the certificates and certificate rotation. If ESXi hosts are using
external certificates, you are responsible for managing the certificates.
You replace certificates for the following reasons:
  A certificate has expired or is nearing its expiration date.
 A certificate has been revoked by the issuing certificate authority.
 You do not want to use the default VMCA-signed certificates.
 Optionally, when you create a new workload domain.
It is recommended that you replace all certificates after completing the deployment of the VMware Cloud
Foundation management domain. After you create a new VI workload domain, you can replace certificates for
the appropriate components as needed.
View Certificate Information
You can view details of an applied certificate for a resource directly through the SDDC Manager UI.
The SDDC Manager UI provides a banner notification for any certificates that are expiring in the next 30 days.
Procedure
1. In the navigation pane, click Inventory > Workload Domains.
2. On the Workload Domains page, from the table, in the domain column click the domain you want to view.
3. On the domain summary page, click the Certificates tab.

This tab lists the certificates for each resource type associated with the workload domain. It displays the
following details:
o Resource type
o Issuer, the certificate authority name
o Resource hostname
o Valid From
o Valid Until
o Certificate status: Active, Expiring, or Expired.
o Certificate operation status
4. To view certificate details, expand the resource next to the Resource Type column.
Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates by integrating with Microsoft Active
Directory Certificate Services (Microsoft CA). Before you can perform certificate operations using the SDDC
Manager UI you must ensure that the Microsoft Certificate Authority is configured correctly.
Complete the below tasks to manage Microsoft CA-Signed certificates using SDDC Manager.
Procedure
1. Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates
To ensure secure and operational connectivity between the SDDC components, you apply signed
certificates provided by a Microsoft Certificate Authority for the SDDC components.
2. Configure a Microsoft Certificate Authority in SDDC Manager
You configure a connection between SDDC Manager and a Microsoft Certificate Authority by entering
your service account credentials.
3. Install Microsoft CA-Signed Certificates using SDDC Manager
Replace the self-signed certificates with signed certificates from the Microsoft Certificate Authority by
using SDDC Manager.
Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates
To ensure secure and operational connectivity between the SDDC components, you apply signed certificates
provided by a Microsoft Certificate Authority for the SDDC components.
You use SDDC Manager to generate the certificate signing request (CSRs) and request a signed certificate
from the Microsoft Certificate Authority. SDDC Manager is then used to install the signed certificates to SDDC
components it manages. In order to achieve this the Microsoft Certificate Authority must be configured to allow
integration with SDDC Manager.
What to read next
Procedure
1. Install Microsoft Certificate Authority Roles
Install the Certificate Authority and Certificate Authority Web Enrollment roles on the Microsoft Certificate
Authority server to facilitate certificate generation from SDDC Manager.
2. Configure the Microsoft Certificate Authority for Basic Authentication
Configure the Microsoft Certificate Authority with basic authentication to allow SDDC Manager the ability to
manage signed certificates.
3. Create and Add a Microsoft Certificate Authority Template
You must set up a certificate template in the Microsoft Certificate Authority. The template contains the
certificate authority attributes for signing certificates for the VMware Cloud Foundation components. After
you create the template, you add it to the certificate templates of the Microsoft Certificate Authority.
4. Assign Certificate Management Privileges to the SDDC Manager Service Account
Before you can use the Microsoft Certificate Authority and the pre-configured template, it is recommended
to configure least privilege access to the Microsoft Active Directory Certificate Services using an Active
Directory user account as a restricted service account.
Install Microsoft Certificate Authority Roles
Install the Certificate Authority and Certificate Authority Web Enrollment roles on the Microsoft Certificate
Authority server to facilitate certificate generation from SDDC Manager.
Note: When connecting SDDC Manager to Microsoft Active Directory Certificate Services, ensure that Web
Enrollment role is installed on the same machine where the Certificate Authority role is installed. SDDC
Manager can't request and sign certificates automatically if the two roles (Certificate Authority and Web
Enrollment roles) are installed on different machines.

Procedure
1. Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client.
FQDN Active Directory Host
User Active Directory administrator
Password ad_admin_password
2. Add roles to Microsoft Certificate Authority server.
a. Click Start > Run, enter ServerManager , and click OK.
b. From the Dashboard, click Add roles and features to start the Add Roles and
Features wizard.
c. On the Before you begin page, click Next.
d. On the Select installation type page, click Next.
e. On the Select destination server page, click Next.
f. On the Select server roles page, under Active Directory Certificate Services,
select Certification Authority and Certification Authority Web Enrollment and click Next.
g. On the Select features page, click Next.
h. On the Confirm installation selections page, click Install.
Configure the Microsoft Certificate Authority for Basic Authentication
Configure the Microsoft Certificate Authority with basic authentication to allow SDDC Manager the ability to
manage signed certificates.
Prerequisites
The Microsoft Certificate Authority and IIS must be installed on the same server.
Procedure
1. Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client.
FQDN Active Directory Host
User Active Directory administrator
Password ad_admin_password
2. Add Basic Authentication to the Web Server (IIS).
a. Click Start > Run, enter ServerManager , and click OK.
b. From the Dashboard, click Add roles and features to start the Add Roles and Features wizard.
c. On the Before you begin page, click Next.
 d. On the Select installation type page, click Next.
e. On the Select destination server page, click Next.
f. On the Select server roles page, under Web Server (IIS) > Web Server > Security, select Basic
Authentication and click Next.
g. On the Select features page, click Next.
h. On the Confirm installation selections page, click Install.
3. Configure the certificate service template and CertSrv web site, for basic authentication.
a. Click Start > Run, enter Inetmgr.exe and click OK to open the Internet Information Services
Application Server Manager.
b. Navigate to your_server > Sites > Default Web Site > CertSrv.
c. Under IIS, double-click Authentication.
d. On the Authentication page, right-click Basic Authentication and click Enable.
e. In the navigation pane, select Default Web Site.
f. In the Actions pane, under Manage Website, click Restart for the changes to take effect.
4. In the Properties of New Template dialog box, click the Compatibility tab and configure the following
values.
Setting Value
Certification Authority Windows Server 2008 R2
Certificate recipient Windows 7 / Server 2008 R2
5. In the Properties of New Template dialog box, click the General tab and enter a name for
example, VMware in the Template display name text box.
6. In the Properties of New Template dialog box, click the Extensions tab and configure the following.
a. Click Application Policies and click Edit.
b. Click Server Authentication, click Remove, and click OK.
c. Click Basic Constraints and click Edit.
d. Click the Enable this extension check box and click OK.
e. Click Key Usage and click Edit.
f. Click the Signature is proof of origin (nonrepudiation) check box, leave the defaults for all other
options and click OK.
7. In the Properties of New Template dialog box, click the Subject Name tab, ensure that the Supply in
the request option is selected, and click OK to save the template.
8. Add the new template to the certificate templates of the Microsoft CA.
a. Click Start > Run, enter certsrv.msc, and click OK
b. In the Certification Authority window, expand the left pane, right-click Certificate Templates, and
select New > Certificate Template to Issue.
c. In the Enable Certificate Templates dialog box, select VMware, and click OK.
Assign Certificate Management Privileges to the SDDC Manager Service Account
Before you can use the Microsoft Certificate Authority and the pre-configured template, it is recommended to
configure least privilege access to the Microsoft Active Directory Certificate Services using an Active Directory
user account as a restricted service account.
Prerequisites
 Create a user account in Active Directory with Domain Users membership. For example, svc-vcf-ca.
Procedure
1. Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client.
FQDN Active Directory Host
User Active Directory administrator
Password ad_admin_password
2. Configure least privilege access for a user account on the Microsoft Certificate Authority.
a. Click Start > Run, enter certsrv.msc , and click OK.
b. Right-click the certificate authority server and click Properties.
c. Click the Security tab, and click Add.
d. Enter the name of the user account and click OK.
e. In the Permissions for.... section configure the permissions and click OK.
Setting Value (Allow)
Read Deselected
 Setting Value (Allow)
Issue and Manage Certificates Selected
Manage CA Deselected
Request Certificates Selected
3. Configure least privilege access for the user account on the Microsoft Certificate Authority Template.
a. Click Start > Run, enter certtmpl.msc , and click OK.
b. Right-click the VMware template and click Properties.
c. Click the Security tab, and click Add.
d. Enter the svc-vcf-ca service account and click OK.
e. In the Permissions for.... section configure the permissions and click OK.
Setting Value (Allow)
Full Control Deselected
Read Selected
Write Deselected
Enroll Selected
Autoenroll Deselected
Configure a Microsoft Certificate Authority in SDDC Manager
You configure a connection between SDDC Manager and a Microsoft Certificate Authority by entering your
service account credentials.
Prerequisites
 Verify connectivity between SDDC Manager and the Microsoft Certificate Authority Server. See VMware
Ports and Protocols.
 Verify that the Microsoft Certificate Authority Server has the correct roles installed on the same machine
where the Certificate Authority role is installed. See Install Microsoft Certificate Authority Roles.
 Verify the Microsoft Certificate Authority Server has been configured for basic authentication.
See Configure the Microsoft Certificate Authority for Basic Authentication.
 Verify a valid certificate template has been configured on the Microsoft Certificate Authority. See Create
and Add a Microsoft Certificate Authority Template.
 Verify least privileged user account has been configured on the Microsoft Certificate Authority Server
and Template. See Assign Certificate Management Privileges to the SDDC Manager Service Account.
 Verify that time is synchronized between the Microsoft Certificate Authority and the SDDC
Manager appliance. Each system can be configured with a different timezone, but it is recommended
that they receive their time from the same NTP source.
Procedure
1. In the navigation pane, click Security > Certificate Authority.
2. Click Edit.

3. Configure the settings and click Save.
Setting Value
Certificate Authority Type Microsoft
CA Server URL Specify the URL for the issuing certificate authority.
This address must begin with https:// and end with certsrv. For example, https://ca.rainpole.io/certsrv.
User Name Enter a least privileged service account. For example, svc-vcf-ca.
Password Enter the password for the least privileged service account.
Template Name Enter the issuing certificate template name. You must create this template in Microsoft Certificate Authority.
For example, VMware.
4. In the CA Server Certificate Details dialog box, click Accept.
Install Microsoft CA-Signed Certificates using SDDC Manager
Replace the self-signed certificates with signed certificates from the Microsoft Certificate Authority by using
SDDC Manager.
Procedure
1. In the navigation pane, click Inventory > Workload Domains.
2. On the Workload Domains page, from the table, in the domain column click the workload domain you
want to view.
3. On the domain summary page, click the Certificates tab.

4. Generate CSR files for the target components.
a. From the table, select the check box for the resource type for which you want to generate a CSR.
b. Click Generate CSRs.
c. On the Details dialog, configure the settings and click Next.
Option Description
Algorithm Select the key algorithm for the certificate.
Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.
Email Optionally, enter a contact email address.
Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated.
Organization Name Type the name under which your company is known. The listed organization must be the legal
registrant of the domain name in the certificate request.
Locality Type the city or locality where your company is legally registered.
State Type the full name (do not abbreviate) of the state, province, region, or territory where your company is
legally registered.
Country Type the country name where your company is legally registered.
This value must use the ISO 3166 country code.
d. (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and
click Next.
e. On the Summary dialog, click Generate CSRs.
5. Generate signed certificates for each component.
a. From the table, select the check box for the resource type for which you want to generate a signed
certificate for.
b. Click Generate Signed Certificates.
c. In the Generate Certificates dialog box, from the Select Certificate Authority drop-down menu,
select Microsoft.
d. Click Generate Certificates.
6. Install the generated signed certificates for each component.
a. From the table, select the check box for the resource type for which you want to install a signed
certificate.
b. Click Install Certificates.
Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates using OpenSSL configured on the SDDC
Manager appliance.
Complete the following tasks to be able to manage OpenSSL-signed certificates issued by SDDC Manager.
Procedure
1. Configure OpenSSL-signed Certificates in SDDC Manager
To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you must first
configure the certificate authority details.
2. Install OpenSSL-signed Certificates using SDDC Manager
Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC Manager.
Configure OpenSSL-signed Certificates in SDDC Manager
To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you must first
configure the certificate authority details.
Procedure
1. In the navigation pane, click Security > Certificate Authority.
2. Click Edit.
3. Configure the settings and click Save.

Setting Value
Certificate Authority OpenSSL
Common Name Specify the FQDN of the SDDC Manager appliance.
Organizational Unit Use this field to differentiate between the divisions within your organization with which this certificate is associated.
Organization Specify the name under which your company is known. The listed organization must be the legal registrant of the
domain name in the certificate request.
Locality Specify the city or the locality where your company is legally registered.
State Enter the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered.
Country Select the country where your company is registered. This value must use the ISO 3166 country code.
Install OpenSSL-signed Certificates using SDDC Manager
Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC Manager.
Procedure
1. In the navigation pane, click Inventory > Workload Domains.
2. On the Workload Domains page, from the table, in the domain column click the workload domain you
want to view.
3. On the domain summary page, click the Certificates tab.

4. Generate CSR files for the target components.
a. From the table, select the check box for the resource type for which you want to generate a CSR.
b. Click Generate CSRs.
The Generate CSRs wizard opens.
c. On the Details dialog, configure the settings and click Next.
Option Description
Algorithm Select the key algorithm for the certificate.
Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.
Email Optionally, enter a contact email address.
Organizational Unit Use this field to differentiate between divisions within your organization with which this
 Option Description
certificate is associated.
Organization Name Type the name under which your company is known. The listed organization must
be the legal registrant of the domain name in the certificate request.
Locality Type the city or locality where your company is legally registered.
State Type the full name (do not abbreviate) of the state, province, region, or territory where your
company is legally registered.
Country Type the country name where your company is legally registered. This value must use the
ISO 3166 country code.
d. (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and
click Next.
You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX, you can
enter the subject alternative name for each node along with the Virtual IP (primary) node.
Note: Wildcard subject alternate name, such as *.example.com is not recommended.
e. On the Summary dialog, click Generate CSRs.
5. Generate signed certificates for each component.
a. From the table, select the check box for the resource type for which you want to generate a signed
certificate.
b. Click Generate Signed Certificates.
c. In the Generate Certificates dialog box, from the Select Certificate Authority drop-down menu,
select OpenSSL.
d. Click Generate Certificates.
6. Install the generated signed certificates for each component.
a. From the table, select the check box for the resource type for which you want to install a signed
certificate.
b. Click Install Certificates.
Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files
VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the
new method, which is the default method for VMware Cloud Foundation 4.5.1 and later.
If you prefer to use the legacy method for installing third-party CA-signed certificates,
Procedure
1. In the navigation pane, click Inventory > Workload Domains.
2. On the Workload Domains page, from the table, in the domain column click the workload domain you
want to view.
3. On the domain summary page, click the Certificates tab.
4. Generate CSR files for the target components.
a. From the table, select the check box for the resource type for which you want to generate a CSR.
b. Click Generate CSRs.
The Generate CSRs wizard opens.
c. On the Details dialog, configure the settings and click Next.
Option Description
Algorithm Select the key algorithm for the certificate.
Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.
Email Optionally, enter a contact email address.
Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated.
Organization Name Type the name under which your company is known. The listed organization must be the legal
registrant of the domain name in the certificate request.
Locality Type the city or locality where your company is legally registered.
State Type the full name (do not abbreviate) of the state, province, region, or territory where your
company is legally registered.
Country Type the country name where your company is legally registered. This value must use the
ISO 3166 country code.
d. (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and
click Next.
You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX, you can
enter the subject alternative name for each node along with the Virtual IP (primary) node.
Note: Wildcard subject alternative name, such as *.example.com are not recommended.
e. On the Summary dialog, click Generate CSRs.
5. Download and save the CSR files by clicking Download CSR.
6. When the downloads complete, request signed certificates from your third-party Certificate Authority for
each.csr.
7. After you receive the signed certificates, open the SDDC Manager UI and click Upload and Install.
8. In the Install Signed Certificates dialog box, select the resource for which you want to install a signed
certificate.
The drop-down menu includes all resources for which you have generated and downloaded CSRs.
9. Select a Source and enter the required information.
Source Required Information
Paste Text Copy and paste the:
o Server Certificate
o Certificate Authority
Paste the server certificate and the certificate authority in PEM format (base64-
encoded). For example:
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------
If the Certificate Authority includes intermediate certificates, it should be in the
following format:
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

File Upload Click Browse to upload the:
o Server Certificate
o Certificate Authority
Files with.crt,.cer,.pem,.p7b and.p7c extensions are supported.
Certificate Click Browse to upload the certificate chain.
Chain Files with.crt,.cer,.pem,.p7b and.p7c extensions are supported.
Click Validate.
If validation fails, resolve the issues and try again, or click Remove to skip the certificate installation.
To install a signed certificate for another resource, click Add Another and repeat steps 8-10 for each resource.
Once all signed certificates have been validated successfully, click Install.
Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle
VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the
legacy method of using a certificate bundle. To use the legacy method, you must modify your preferences and
then use this procedure to generate CSRs, sign the CSRs with a third-party CA, and finally upload and install
the certificates.
Prerequisites
VMware Cloud Foundation 4.5.1 introduces a new method for installing third-party CA-signed certificates. By
default, VMware Cloud Foundation use the new method. See Install Third-Party CA-Signed Certificates Using
Server Certificate and Certificate Authority Files for information using the new method. If you prefer to use the
legacy method, you must modify your preferences.
1. In the SDDC Manager UI, click the logged in user and select Preferences.

2. Use the toggle to switch to legacy certificate management.

Uploading CA-signed certificates from a third-party Certificate Authority using the legacy method requires that
you collect the relevant certificate files in the correct format and then create a single.tar.gz file with the
contents. It's important that you create the correct directory structure within the.tar.gz file as follows:
 The name of the top-level directory must exactly match the name of the workload domain as it appears in
the list on the Inventory > Workload Domains. For example, sfo-m01.
o The PEM-encoded root CA certificate chain file (must be named rootca.crt) must reside inside this top-
level directory. The rootca.crt chain file contains a root certificate authority and can have n number of
intermediate certificates.
For example:
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
In the above example, there are two intermediate certificates, intermediate1 and intermediate2, and a root
certificate. Intermediate1 must use the certificate issued by intermediate2 and intermediate2 must use the
certificate issued by Root CA.
o The root CA certificate chain file, intermediate certificates, and root certificate must contain the Basic
Constraints field with value CA:TRUE.
o This directory must contain one sub-directory for each component resource for which you want to replace
the certificates.
 Each sub-directory must exactly match the resource hostname of a corresponding component as it appears
in the Resource Hostname column in the Inventory > Workload Domains > Certificates tab.
For example, nsxManager.vrack.vsphere.local, vcenter-1.vrack.vsphere.local, and so on.
o Each sub-directory must contain the corresponding.csr file, whose name must exactly match the
resource as it appears in the Resource Hostname column in the Inventory > Workload
Domains > Certificates tab.
o Each sub-directory must contain a corresponding.crt file, whose name must exactly match the resource
as it appears in the Resource Hostname column in the Inventory > Workload
Domains > Certificates tab. The content of the.crt files must end with a newline character.
For example, the nsxManager.vrack.vsphere.local sub-directory would contain
the nsxManager.vrack.vsphere.local.crt file.
 All certificates including rootca.crt must be in UNIX file format.
 Additional requirements for NSX certificates:
o Server certificate (NSX_FQDN.crt) must contain the Basic Constraints field with value CA:FALSE.
o If the NSX certificate contains HTTP or HTTPS based CRL Distribution Point it must be reachable from
the server.
o The extended key usage (EKU) of the generated certificate must contain the EKU of the CSR generated.
Note: All resource and hostname values can be found in the list on the Inventory > Workload
Domains > Certificates tab.
Procedure
1. In the navigation pane, click Inventory > Workload Domains.
2. On the Workload Domains page, from the table, in the domain column click the workload domain you
want to view.
3. On the domain summary page, click the Certificates tab.
4. Generate CSR files for the target components.
a. From the table, select the check box for the resource type for which you want to generate a CSR.
b. Click Generate CSRs.
The Generate CSRs wizard opens.
c. On the Details dialog, configure the settings and click Next.

Option Description
Algorithm Select the key algorithm for the certificate.
Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu.
 Option Description
Email Optionally, enter a contact email address.
Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated.
Organization Name Type the name under which your company is known. The listed organization must be the legal registrant of the domain
name in the certificate request.
Locality Type the city or locality where your company is legally registered.
State Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally
registered.
Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code.
d. (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and
click Next.
You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX, you can
enter the subject alternative name for each node along with the Virtual IP (primary) node.
Note: Wildcard subject alternative name, such as *.example.com are not recommended.
e. On the Summary dialog, click Generate CSRs.
5. Download and save the CSR files to the directory by clicking Download CSR.
6. Complete the following tasks outside of the SDDC Manager UI:
a. Verify that the different.csr files have successfully generated and are allocated in the required
directory structure.
b. Request signed certificates from a Third-party Certificate authority for each.csr.
c. Verify that the newly acquired.crt files are correctly named and allocated in the required directory
structure.
d. Create a new.tar.gz file of the directory structure ready for upload to SDDC Manager. For
example:.tar.gz.
7. Click Upload and Install.
8. In the Upload and Install Certificates dialog box, click Browse to locate and select the newly
created.tar.gz file and click Open.
9. Click Upload.
10. If the upload is successful, click Install Certificate. The Certificates tab displays a status of Certificate
Installation is in progress.
Add a Trusted Certificate to the SDDC Manager Trust Store
If you replaced the certificate for a VMware Cloud Foundation component outside of SDDC Manager then you
must add the new certificate to the SDDC Manager trust store.
This functionality is available in VMware Cloud Foundation 4.5.1 and later.
Replacing the certificate for a VMware Cloud Foundation component outside of SDDC Manager results in an
error in the SDDC Manager UI.

You can add the trusted certificate to the SDDC Manager trust store using the VMware Cloud Foundation API
or the SDDC Manager UI. This procedure describes using the SDDC Manager UI.
Using the SDDC Manager UI adds the certificate to the trust store for outbound communications.
Procedure
1. Click review in the error message in the SDDC Manager UI.
In the SDDC Manager UI, click Inventory > Workload Domains, click the workload domain name, and
then click the Certificates tab. The error appears in the Status column
2. Review the information to make sure it is accurate and then click Trust Certificate.
Remove Old or Unused Certificates from SDDC Manager
Old or unused certificates are stored in a trust store in SDDC Manager. You can delete old certificates using
the VMware Cloud Foundation API.
Procedure
1. Log in to the SDDC Manager UI as a user with the ADMIN role.
For more information about roles
2. In the navigation pane, click Developer Center > API Explorer.
3. Browse to and expand API Categories > Trusted Certificates.
4. Expand GET /v1/sddc-manager/trusted-certificates and click EXECUTE.
5. In the Response, click TrustedCertificate and copy the alias for the certificate you want to remove.
6. Expand DELETE /v1/sddc-manager/trusted-certificates/{alias} , enter the alias, and click EXECUTE.