VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configure Certificates for a Shared Single Sign-On Domain
Last Updated January 30, 2025

When you deploy multiple instances of
SDDC Manager
 that are joined to the same Single Sign-On (SSO) domain, you must take steps to ensure that certificates are installed correctly.
In
VMware Cloud Foundation
 4.5, the ability to join multiple
VMware Cloud Foundation
 instances to the same vCenter Single Sign-On domain is deprecated.
By default, each
vCenter Server
 that you deploy uses VMCA-signed certificates. VMware recommends that you replace the default VMCA-signed certificates for each management domain
vCenter Server
, across all
SDDC Manager
 instances, with certificates signed by the same external Certificate Authority (CA). After you deploy a new VI workload domain in any of the
SDDC Manager
 instances, install a certificate in the VI workload domain
vCenter Server
 that is signed by the same external CA as the management domain
vCenter Server
s.
If you plan to use the default VMCA-signed certificates for each
vCenter Server
 across all
SDDC Manager
 instances, you must take the following steps every time an additional
vCenter Server Appliance
 is introduced to the SSO domain by any
SDDC Manager
 instance:
  • Import the VMCA machine certificate for the new
    vCenter Server Appliance
     into the trust store of all other
    SDDC Manager
     instances participating in that SSO domain.
An additional
vCenter Server Appliance
 is introduced to the SSO domain when:
  • You deploy a new
    SDDC Manager
     instance that shares the same SSO domain as an existing
    SDDC Manager
     instance.
  • You deploy a new VI workload domain in any of the
    SDDC Manager
     instances that share an SSO domain.
  1. Get the certificate for the new management or VI workload domain
    vCenter Server
    .
    1. SSH to the new
      vCenter Server Appliance
       using the
      root
       user account.
    2. Enter
      Shell
      .
    3. Retrieve the certificate from the VMware Certificate Store (VECS) and send it to an output file.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias
__MACHINE_CERT --output /tmp/
      <new-vcenter>
      .cer
  2. Copy the certificate (
    <new-vcenter>
    .cer
    ) to a computer that has access to the
    SDDC Manager
     instance(s) to which you want to import the certificate.
  3. Import the certificate to the trust store of the
    SDDC Manager
     instance(s).
    1. Copy the certificate to the
      SDDC Manager appliance
      .
      For example,
      /tmp/
      <new-vcenter>
      .cer
      .
    2. SSH in to the
      SDDC Manager appliance
       using the
      vcf
       user account.
    3. Enter
      su
       to switch to the root user.
    4. Run the following commands:
      trustedKey=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)
      (echo $trustedKey; sleep 1; echo "Yes") | keytool -importcert -alias 
      <new-vcenter>
       -file /tmp/
      <newvcenter>
      .
cer -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store
      echo "Yes" | keytool -importcert -alias 
      <new-vcenter>
       -file /tmp/
      <new-vcenter>
      .cer -keystore
/etc/alternatives/jre/lib/security/cacerts --storepass changeit
    5. Validate the keystore entries.
      keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $trustedKey
  4. Restart all
    SDDC Manager
     services on each
    SDDC Manager
     instance to which you imported a trusted certificate.
    echo "Y" | /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

Content feedback and comments