Managing Certificates in VMware Cloud
Foundation
You can use the
SDDC Manager
UI
to manage certificates in a
VMware Cloud Foundation
instance, including
integrating a certificate authority, generating and submitting certificate signing requests
(CSR) to a certificate authority, and downloading and installing certificates.This section provides instructions for using
either:
- OpenSSL as a certificate authority, which is a native option inSDDC Manager.
- Integrating with Microsoft Active Directory Certificate Services.
- Providing signed certificates from another external Certificate Authority.
You can manage the certificates for the
following components.
- vCenter Server
- NSX Manager
- SDDC Manager
- vRealize Suite Lifecycle ManagerUsevRealize Suite Lifecycle Managerto manage certificates for the other vRealize Suite components.
VMware Cloud Foundation
does not manage certificates
for ESXi hosts. By default, ESXi hosts use VMCA-signed certificates, but they can also
use external CA-signed certificates. If ESXi hosts are using VMCA-signed certificates,
VMCA manages the certificates and certificate rotation. If ESXi hosts are using external
certificates, you are responsible for managing the certificates. For more information
about external certificates, see Configure ESXi Hosts with Signed Certificates.You replace certificates for the following
reasons:
- A certificate has expired or is nearing its expiration date.
- A certificate has been revoked by the issuing certificate authority.
- You do not want to use the default VMCA-signed certificates.
- Optionally, when you create a new workload domain.
It is recommended that you replace all
certificates after completing the deployment of the
VMware Cloud Foundation
management domain. After you create a new VI
workload domain, you can replace certificates for the appropriate components as
needed.