Administering VCF (Chap3-4) PDF
Document Details
Uploaded by HumorousVulture
University of Colorado Boulder
Tags
Related
Summary
This document provides instructions on configuring the Customer Experience Improvement Program (CEIP) settings for VMware Cloud Foundation, as well as managing certificates within VMware Cloud Foundation instances. It details procedures for activating/deactivating CEIP, managing certificates using various methods, and configuring Microsoft CA-signed certificates.
Full Transcript
**Configure the Customer Experience Improvement Program Settings for VMware Cloud Foundation** ============================================================================================== VMware Cloud Foundation participates in the VMware Customer Experience Improvement Program (CEIP). You can ch...
**Configure the Customer Experience Improvement Program Settings for VMware Cloud Foundation** ============================================================================================== VMware Cloud Foundation participates in the VMware Customer Experience Improvement Program (CEIP). You can choose to activate or deactivate CEIP for your VMware Cloud Foundation instance. The Customer Experience Improvement Program provides VMware with information that allows VMware to improve its products and services, to fix problems, and to advise you on how best to deploy and use our products. As part of the CEIP, VMware collects technical information about your organization's use of the VMware products and services regularly in association with your organization's VMware license keys. This information does not personally identify any individual. For additional information regarding the CEIP, refer to the Trust & Assurance Center at . You can activate or deactive CEIP across all the components deployed in VMware Cloud Foundation by the following methods: - - You can activate or deactivate CEIP from the Administration tab in the SDDC Manager UI. Procedure --------- 1. In the navigation pane, click **Administration **\> **VMware CEIP**. 2. To activate CEIP, select the **Join the VMware Customer Experience Improvement Program** option. 3. To deactivate CEIP, deselect the **Join the VMware Customer Experience Improvement Program** option. **Managing Certificates in VMware Cloud Foundation** ==================================================== You can use the SDDC Manager UI to manage certificates in a VMware Cloud Foundation instance, including integrating a certificate authority, generating and submitting certificate signing requests (CSR) to a certificate authority, and downloading and installing certificates. Starting with VMware Cloud Foundation 5.2.1, you can also manage certificates using the vSphere Client. This section provides instructions for the SDDC Manager UI to: - Use OpenSSL as a certificate authority, which is a native option in SDDC Manager. - Integrate with Microsoft Active Directory Certificate Services. - Provide signed certificates from another external Certificate Authority. You can manage the certificates for the following components. - vCenter Server - NSX Manager - VMware Avi Load Balancer (formerly known as NSX Advanced Load Balancer) - SDDC Manager - VMware Aria Suite Lifecycle - **Note:** Use VMware Aria Suite Lifecycle to manage certificates for the other VMware Aria Suite components. **Note:** VMware Cloud Foundation does not manage certificates for ESXi hosts. By default, ESXi hosts use VMCA-signed certificates, but they can also use external CA-signed certificates. If ESXi hosts are using VMCA-signed certificates, VMCA manages the certificates and certificate rotation. If ESXi hosts are using external certificates, you are responsible for managing the certificates. **You replace certificates for the following reasons:** - A certificate has expired or is nearing its expiration date. - A certificate has been revoked by the issuing certificate authority. - You do not want to use the default VMCA-signed certificates. - Optionally, when you create a new workload domain. It is recommended that you replace all certificates after completing the deployment of the VMware Cloud Foundation management domain. After you create a new VI workload domain, you can replace certificates for the appropriate components as needed. **View Certificate Information** ================================ You can view details of an applied certificate for a resource directly through the SDDC Manager UI. The SDDC Manager UI provides a banner notification for any certificates that are expiring in the next 30 days. Procedure --------- 1. In the navigation pane, click **Inventory** \> **Workload Domains**. 2. On the **Workload Domains** page, from the table, in the domain column click the domain you want to view. 3. - Resource type - Issuer, the certificate authority name - Resource hostname - Valid From - Valid Until - Certificate status: Active, Expiring, or Expired. - Certificate operation status 4. To view certificate details, expand the resource next to the Resource Type column. **Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates** ============================================================================= VMware Cloud Foundation supports the ability to manage certificates by integrating with Microsoft Active Directory Certificate Services (Microsoft CA). Before you can perform certificate operations using the SDDC Manager UI you must ensure that the Microsoft Certificate Authority is configured correctly. Complete the below tasks to manage Microsoft CA-Signed certificates using SDDC Manager. Procedure --------- 1. Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates\ To ensure secure and operational connectivity between the SDDC components, you apply signed certificates provided by a Microsoft Certificate Authority for the SDDC components. 2. Configure a Microsoft Certificate Authority in SDDC Manager\ You configure a connection between SDDC Manager and a Microsoft Certificate Authority by entering your service account credentials. 3. Install Microsoft CA-Signed Certificates using SDDC Manager\ Replace the self-signed certificates with signed certificates from the Microsoft Certificate Authority by using SDDC Manager. **Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates** ============================================================================================ To ensure secure and operational connectivity between the SDDC components, you apply signed certificates provided by a Microsoft Certificate Authority for the SDDC components. You use SDDC Manager to generate the certificate signing request (CSRs) and request a signed certificate from the Microsoft Certificate Authority. SDDC Manager is then used to install the signed certificates to SDDC components it manages. In order to achieve this the Microsoft Certificate Authority must be configured to allow integration with SDDC Manager. What to read next ----------------- Procedure --------- 1. 2. 3. 4. **Install Microsoft Certificate Authority Roles** ================================================= Install the Certificate Authority and Certificate Authority Web Enrollment roles on the Microsoft Certificate Authority server to facilitate certificate generation from SDDC Manager. **Note:** When connecting SDDC Manager to Microsoft Active Directory Certificate Services, ensure that Web Enrollment role is installed on the same machine where the Certificate Authority role is installed. SDDC Manager can\'t request and sign certificates automatically if the two roles (Certificate Authority and Web Enrollment roles) are installed on different machines. Procedure --------- 1. Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client. ---------- -------------------------------- FQDN *Active Directory Host* User Active Directory administrator Password *ad\_admin\_password* ---------- -------------------------------- 2. Add roles to Microsoft Certificate Authority server. a. Click **Start** \> **Run**, enter **ServerManager**, and click **OK**. b. From the **Dashboard**, click **Add roles and features** to start the **Add Roles and Features** wizard. c. On the **Before you begin** page, click **Next**. d. On the **Select installation type** page, click **Next**. e. On the **Select destination server** page, click **Next**. f. On the **Select server roles** page, under **Active Directory Certificate Services**, select **Certification Authority** and **Certification Authority Web Enrollment** and click **Next**. g. On the **Select features** page, click **Next**. h. On the **Confirm installation selections** page, click **Install**. **Configure the Microsoft Certificate Authority for Basic Authentication** ========================================================================== Configure the Microsoft Certificate Authority with basic authentication to allow SDDC Manager the ability to manage signed certificates. Prerequisites ------------- The Microsoft Certificate Authority and IIS must be installed on the same server. **Procedure** ------------- 1. Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client. ---------- -------------------------------- FQDN *Active Directory Host* User Active Directory administrator Password *ad\_admin\_password* ---------- -------------------------------- 2. Add Basic Authentication to the Web Server (IIS). a. Click **Start** \> **Run**, enter **ServerManager**, and click **OK**. b. From the **Dashboard**, click **Add roles and features** to start the **Add Roles and Features** wizard. c. On the **Before you begin** page, click **Next**. d. On the **Select installation type** page, click **Next**. e. On the **Select destination server** page, click **Next**. f. On the **Select server roles** page, under **Web Server (IIS)** \> **Web Server** \> **Security**, select **Basic Authentication** and click **Next**. g. On the **Select features** page, click **Next**. h. On the **Confirm installation selections** page, click **Install**. 3. Configure the certificate service template and CertSrv web site, for basic authentication. i. Click **Start** \> **Run**, enter **Inetmgr.exe** and click **OK** to open the **Internet Information Services Application Server Manager**. j. Navigate to ***your\_server*** \> **Sites** \> **Default Web Site** \> **CertSrv**. k. Under **IIS**, double-click **Authentication**. l. On the **Authentication** page, right-click **Basic Authentication** and click **Enable**. m. In the navigation pane, select **Default Web Site**. n. In the **Actions** pane, under **Manage Website**, click **Restart** for the changes to take effect. 4. **Setting** **Value** ------------------------- ---------------------------- Certification Authority Windows Server 2008 R2 Certificate recipient Windows 7 / Server 2008 R2 5. 6. o. p. q. r. s. t. 7. 8. u. v. w. **Assign Certificate Management Privileges to the SDDC Manager Service Account** ================================================================================ Before you can use the Microsoft Certificate Authority and the pre-configured template, it is recommended to configure least privilege access to the Microsoft Active Directory Certificate Services using an Active Directory user account as a restricted service account. Prerequisites ------------- - Procedure --------- 1. Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client. ---------- -------------------------------- FQDN *Active Directory Host* User Active Directory administrator Password *ad\_admin\_password* ---------- -------------------------------- 2. Configure least privilege access for a user account on the Microsoft Certificate Authority. a. Click **Start** \> **Run**, enter **certsrv.msc**, and click **OK**. b. Right-click the certificate authority server and click **Properties**. c. Click the **Security** tab, and click **Add**. d. Enter the name of the user account and click **OK**. e. In the **Permissions for \....** section configure the permissions and click **OK**. **Setting** **Value (Allow)** ------------------------------- ------------------- Read Deselected Issue and Manage Certificates Selected Manage CA Deselected Request Certificates Selected 3. Configure least privilege access for the user account on the Microsoft Certificate Authority Template. f. Click **Start** \> **Run**, enter **certtmpl.msc**, and click **OK**. g. Right-click the VMware template and click **Properties**. h. Click the **Security** tab, and click **Add**. i. Enter the **svc-vcf-ca** service account and click **OK**. j. In the **Permissions for \....** section configure the permissions and click **OK**. **Setting** **Value (Allow)** -------------- ------------------- Full Control Deselected Read Selected Write Deselected Enroll Selected Autoenroll Deselected **Configure a Microsoft Certificate Authority in SDDC Manager** =============================================================== You configure a connection between SDDC Manager and a Microsoft Certificate Authority by entering your service account credentials. Prerequisites ------------- - Verify connectivity between SDDC Manager and the Microsoft Certificate Authority Server. See VMware Ports and Protocols. - Verify that the Microsoft Certificate Authority Server has the correct roles installed on the same machine where the Certificate Authority role is installed. See Install Microsoft Certificate Authority Roles. - Verify the Microsoft Certificate Authority Server has been configured for basic authentication. See Configure the Microsoft Certificate Authority for Basic Authentication. - Verify a valid certificate template has been configured on the Microsoft Certificate Authority. See Create and Add a Microsoft Certificate Authority Template. - Verify least privileged user account has been configured on the Microsoft Certificate Authority Server and Template. See Assign Certificate Management Privileges to the SDDC Manager Service Account. - Verify that time is synchronized between the Microsoft Certificate Authority and the SDDC Manager appliance. Each system can be configured with a different timezone, but it is recommended that they receive their time from the same NTP source. Procedure --------- 1. In the navigation pane, click **Security** \> **Certificate Authority**. 2. Click **Edit**.\ The settings for configuring a Microsoft Certificate Authority. 3. Configure the settings and click **Save**. +-----------------------------------+-----------------------------------+ | **Setting** | **Value** | +===================================+===================================+ | Certificate Authority Type | Microsoft | +-----------------------------------+-----------------------------------+ | CA Server URL | Specify the URL for the issuing | | | certificate authority. | | | | | | This address must begin | | | with https:// and end | | | with certsrv. For example, | | | https://ca.rainpole.io/certsrv. | +-----------------------------------+-----------------------------------+ | User Name | Enter a least privileged service | | | account. For example, svc-vcf-ca. | +-----------------------------------+-----------------------------------+ | Password | Enter the password for the least | | | privileged service account. | +-----------------------------------+-----------------------------------+ | Template Name | Enter the issuing certificate | | | template name. You must create | | | this template in Microsoft | | | Certificate Authority. For | | | example, VMware. | +-----------------------------------+-----------------------------------+ 4. In the **CA Server Certificate Details** dialog box, click **Accept**. **Install Microsoft CA-Signed Certificates using SDDC Manager** =============================================================== Replace the self-signed certificates with signed certificates from the Microsoft Certificate Authority by using SDDC Manager. Procedure --------- 1. In the navigation pane, click **Inventory** \> **Workload Domains**. 2. On the **Workload Domains** page, from the table, in the domain column click the workload domain you want to view. 3. On the domain summary page, click the **Certificates** tab.\  4. Generate CSR files for the target components. a. b. c. +-----------------------------------+-----------------------------------+ | **Option** | **Description** | +===================================+===================================+ | Algorithm | Select the key algorithm for the | | | certificate. | +-----------------------------------+-----------------------------------+ | Key Size | Select the key size (2048 bit, | | | 3072 bit, or 4096 bit) from the | | | drop-down menu. | +-----------------------------------+-----------------------------------+ | Email | Optionally, enter a contact email | | | address. | +-----------------------------------+-----------------------------------+ | Organizational Unit | Use this field to differentiate | | | between divisions within your | | | organization with which this | | | certificate is associated. | +-----------------------------------+-----------------------------------+ | Organization Name | Type the name under which your | | | company is known. The listed | | | organization must be the legal | | | | | | registrant of the domain name in | | | the certificate request. | +-----------------------------------+-----------------------------------+ | Locality | Type the city or locality where | | | your company is legally | | | registered. | +-----------------------------------+-----------------------------------+ | State | Type the full name (do not | | | abbreviate) of the state, | | | province, region, or territory | | | where your company is | | | | | | legally registered. | +-----------------------------------+-----------------------------------+ | Country | Type the country name where your | | | company is legally registered. | | | | | | This value must use the ISO 3166 | | | country code. | +-----------------------------------+-----------------------------------+ d. e. 5. f. g. h. i. 6. Install the generated signed certificates for each component. j. k. **Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates** =========================================================================== VMware Cloud Foundation supports the ability to manage certificates using OpenSSL configured on the SDDC Manager appliance. Complete the following tasks to be able to manage OpenSSL-signed certificates issued by SDDC Manager. Procedure --------- 1. Configure OpenSSL-signed Certificates in SDDC Manager\ To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you must first configure the certificate authority details. 2. Install OpenSSL-signed Certificates using SDDC Manager\ Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC Manager. **Configure OpenSSL-signed Certificates in SDDC Manager** ========================================================= To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you must first configure the certificate authority details. Procedure --------- 1. In the navigation pane, click **Security** \> **Certificate Authority**. 2. Click **Edit**. 3. Configure the settings and click **Save**.\ The settings for configuring an OpenSSL certificate authority. +-----------------------------------+-----------------------------------+ | **Setting** | **Value** | +===================================+===================================+ | Certificate Authority | OpenSSL | +-----------------------------------+-----------------------------------+ | Common Name | Specify the FQDN of the SDDC | | | Manager appliance. | +-----------------------------------+-----------------------------------+ | Organizational Unit | Use this field to differentiate | | | between the divisions within your | | | organization with which this | | | certificate is associated. | +-----------------------------------+-----------------------------------+ | Organization | Specify the name under which your | | | company is known. The listed | | | organization must be the legal | | | registrant of the | | | | | | domain name in the certificate | | | request. | +-----------------------------------+-----------------------------------+ | Locality | Specify the city or the locality | | | where your company is legally | | | registered. | +-----------------------------------+-----------------------------------+ | State | Enter the full name (do not | | | abbreviate) of the state, | | | province, region, or territory | | | where your company is legally | | | registered. | +-----------------------------------+-----------------------------------+ | Country | Select the country where your | | | company is registered. This value | | | must use the ISO 3166 country | | | code. | +-----------------------------------+-----------------------------------+ **Install OpenSSL-signed Certificates using SDDC Manager** ========================================================== Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC Manager. Procedure --------- 1. 2. 3. 4. Generate CSR files for the target components. a. b. c. +-----------------------------------+-----------------------------------+ | **Option** | **Description** | +===================================+===================================+ | Algorithm | Select the key algorithm for the | | | certificate. | +-----------------------------------+-----------------------------------+ | Key Size | Select the key size (2048 bit, | | | 3072 bit, or 4096 bit) from the | | | drop-down menu. | +-----------------------------------+-----------------------------------+ | Email | Optionally, enter a contact email | | | address. | +-----------------------------------+-----------------------------------+ | Organizational Unit | Use this field to differentiate | | | between divisions within your | | | organization with which this | | | | | | certificate is associated. | +-----------------------------------+-----------------------------------+ | Organization Name | Type the name under which your | | | company is known. The listed | | | organization must | | | | | | be the legal registrant of the | | | domain name in the certificate | | | request. | +-----------------------------------+-----------------------------------+ | Locality | Type the city or locality where | | | your company is legally | | | registered. | +-----------------------------------+-----------------------------------+ | State | Type the full name (do not | | | abbreviate) of the state, | | | province, region, or territory | | | where your | | | | | | company is legally registered. | +-----------------------------------+-----------------------------------+ | Country | Type the country name where your | | | company is legally registered. | | | This value must use the | | | | | | ISO 3166 country code. | +-----------------------------------+-----------------------------------+ d. e. 5. f. g. h. i. 6. j. k. **Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files** ======================================================================================================= VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the new method, which is the default method for VMware Cloud Foundation 4.5.1 and later. If you prefer to use the legacy method for installing third-party CA-signed certificates, Procedure --------- 1. 2. 3. 4. a. b. c. +-----------------------------------+-----------------------------------+ | **Option** | **Description** | +===================================+===================================+ | Algorithm | Select the key algorithm for the | | | certificate. | +-----------------------------------+-----------------------------------+ | Key Size | Select the key size (2048 bit, | | | 3072 bit, or 4096 bit) from the | | | drop-down menu. | +-----------------------------------+-----------------------------------+ | Email | Optionally, enter a contact email | | | address. | +-----------------------------------+-----------------------------------+ | Organizational Unit | Use this field to differentiate | | | between divisions within your | | | organization with which this | | | certificate is associated. | +-----------------------------------+-----------------------------------+ | Organization Name | | +-----------------------------------+-----------------------------------+ | Locality | Type the city or locality where | | | your company is legally | | | registered. | +-----------------------------------+-----------------------------------+ | State | Type the full name (do not | | | abbreviate) of the state, | | | province, region, or territory | | | where your | | | | | | company is legally registered. | +-----------------------------------+-----------------------------------+ | Country | Type the country name where your | | | company is legally registered. | | | This value must use the | | | | | | ISO 3166 country code. | +-----------------------------------+-----------------------------------+ d. e. 5. Download and save the CSR files by clicking **Download CSR**. 6. When the downloads complete, request signed certificates from your third-party Certificate Authority for each.csr. 7. After you receive the signed certificates, open the SDDC Manager UI and click **Upload and Install**. 8. In the **Install Signed Certificates** dialog box, select the resource for which you want to install a signed certificate. 9. Select a **Source** and enter the required information. +-----------------------------------+-----------------------------------+ | **Source** | **Required Information** | +===================================+===================================+ | **Paste Text** | Copy and paste the: | | | | | | a. b. | | | | | | Paste the server certificate and | | | the certificate authority in PEM | | | format (base64-encoded). For | | | example: | | | | | | \-\-\-\--BEGIN | | | CERTIFICATE\-\-\-\-- | | | | | | \ | | | | | | \-\-\-\--END | | | CERTIFICATE\-\-\-\-\-- | | | | | | If the Certificate Authority | | | includes intermediate | | | certificates, it should be in the | | | following format: | | | | | | \-\-\-\--BEGIN | | | CERTIFICATE\-\-\-\-- | | | | | | \ | | | | | | \-\-\-\--END | | | CERTIFICATE\-\-\-\-\-- | | | | | | \-\-\-\--BEGIN | | | CERTIFICATE\-\-\-\-- | | | | | | \ | | | | | | \-\-\-\--END CERTIFICATE\-\-\-\-- | +-----------------------------------+-----------------------------------+ | **File Upload** | Click **Browse** to upload the: | | | | | | c. d. | | | | | | Files | | | with .crt, .cer, .pem, .p7b and . | | | p7c extensions | | | are supported. | +-----------------------------------+-----------------------------------+ | **Certificate Chain** | Click **Browse** to upload the | | | certificate chain. | | | | | | Files | | | with .crt, .cer, .pem, .p7b and . | | | p7c extensions | | | are supported. | +-----------------------------------+-----------------------------------+ 1. Click **Validate**. 2. To install a signed certificate for another resource, click **Add Another** and repeat steps 8-10 for each resource. 3. Once all signed certificates have been validated successfully, click **Install**. **Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle** ==================================================================================================== VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the legacy method of using a certificate bundle. To use the legacy method, you must modify your preferences and then use this procedure to generate CSRs, sign the CSRs with a third-party CA, and finally upload and install the certificates. Prerequisites ------------- VMware Cloud Foundation 4.5.1 introduces a new method for installing third-party CA-signed certificates. By default, VMware Cloud Foundation use the new method. See [Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files](https://docs.vmware.com/en/VMware-Cloud-Foundation/5.2/vcf-admin/GUID-2A1E7307-84EA-4345-9518-198718E6A8A6.html#GUID-2A1E7307-84EA-4345-9518-198718E6A8A6) for information using the new method. If you prefer to use the legacy method, you must modify your preferences. 1. 2. Uploading CA-signed certificates from a third-party Certificate Authority using the legacy method requires that you collect the relevant certificate files in the correct format and then create a single.tar.gz file with the contents. It\'s important that you create the correct directory structure within the.tar.gz file as follows: - - - - - - - - All certificates including rootca.crt must be in UNIX file format. - Additional requirements for NSX certificates: - - - **Note:** All resource and hostname values can be found in the list on the **Inventory** \> **Workload Domains** \> **Certificates** tab. Procedure --------- 1. 2. 3. 4. a. From the table, select the check box for the resource type for which you want to generate a CSR. b. Click **Generate CSRs**. c. On the **Details** dialog, configure the settings and click **Next**. **Option** **Description** --------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------ Algorithm Select the key algorithm for the certificate. Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu. Email Optionally, enter a contact email address. Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated. Organization Name Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request. Locality Type the city or locality where your company is legally registered. State Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered. Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code. d. e. 5. Download and save the CSR files to the directory by clicking **Download CSR**. 6. Complete the following tasks outside of the SDDC Manager UI: f. g. h. i. 7. 8. 9. 10. **Add a Trusted Certificate to the SDDC Manager Trust Store** ============================================================= If you replaced the certificate for a VMware Cloud Foundation component outside of SDDC Manager then you must add the new certificate to the SDDC Manager trust store. This functionality is available in VMware Cloud Foundation 4.5.1 and later. Replacing the certificate for a VMware Cloud Foundation component outside of SDDC Manager results in an error in the SDDC Manager UI.\  You can add the trusted certificate to the SDDC Manager trust store using the VMware Cloud Foundation API or the SDDC Manager UI. This procedure describes using the SDDC Manager UI. Using the SDDC Manager UI adds the certificate to the trust store for outbound communications. Procedure --------- 1. Click **review** in the error message in the SDDC Manager UI. 2. Review the information to make sure it is accurate and then click **Trust Certificate**. **Remove Old or Unused Certificates from SDDC Manager** ======================================================= Old or unused certificates are stored in a trust store in SDDC Manager. You can delete old certificates using the VMware Cloud Foundation API. Procedure --------- 1. Log in to the SDDC Manager UI as a user with the ADMIN role. 2. In the navigation pane, click **Developer Center** \> **API Explorer**. 3. Browse to and expand **API Categories** \> **Trusted Certificates**. 4. Expand GET /v1/sddc-manager/trusted-certificates and click **EXECUTE**. 5. In the Response, click TrustedCertificate and copy the alias for the certificate you want to remove. 6. Expand DELETE /v1/sddc-manager/trusted-certificates/{alias}, enter the alias, and click **EXECUTE**.\ https://docs.vmware.com/en/VMware-Cloud-Foundation/5.2/vcf-admin/images/GUID-FFA1AC40-E115-49C6-96D7-649E434C2C95-low.png
