One of the coolest features in the VMware Cloud Foundation 3.x release is in my opinion the ability to automatically replace SSL certificates for vSphere and vRealize components. SDDC Manager supports both Microsoft and non-Microsoft certificate authorities but in current release only Microsoft Certificate Authority is supported for automatic replacement of the certificates. I am not going to explain how to set up a MSCA but in case you need one, there are configuration steps available in the VCF documentation.
In current version, SDDC Manager can manage and automatically replace SSL certificates for the following components:
- Platform Services Controllers
- vCenter Server
- NSX Manager
- SDDC Manager
- vRealize Automation
- vRealize Log Insight
- vRealize Operations
Before you begin, make sure you have created the certificate template with proper authentication configuration as described in the documentation.
Configure Certificate Authority
Before you can start automatically replacing the SSL certificates, you must configure the Certificate Authority in the SDDC Manager.
- From the SDDC Manager dashboard, go to Security under the Administration menu and select Certificate Management.
- Provide the MSCA Server URL, username and password, and the template name.
- Accept the CA Server certificate details and click Save.
Replace SSL Certificates
Once the Certificate Authority is set up, you can start replacing the SSL certificates. In this example I will replace the certificates in the Management workload domain.
- From the Inventory menu, go to Workload Domains and open the Management workload domain.
- Select all components.
- Click Generate CSR and provide the information as needed. Click Generate CSR.
- Wait until the CSR generation process completes. When finished, the CSR Generation Status column will display Successful for every component selected.
- Next, click Generate Signed Certificates.
- Select the Microsoft Certificate Authority from the drop-down menu and click Generate Certificates.
- Wait until the certificate generation is completed. When finished, the Certificate Generation Status column will display Successful for every component selected.
- Click Install Certificates and wait until the Certificate Installation Status column changes to Successful for every component selected.
At this point all SSL certificates are replaced in the Management workload domain. You can use the same procedure to replace SSL certificates when you create new workload domain.
Post SSL Certificate Replacement tasks
- If you replaced the SDDC Manager certificate, you must restart the SDDC Manager service by running the # sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh This will establish a new connection between the SDDC manager and the components in the Management workload domain using the new certificate.
- If you replaced the SSL certificate for the vROps, you must reconfigure the NSX load balancer node by following this procedure.
- If you replaced the vRA certificate as well, you must ensure that the vRealize Automation resource root certificate is trusted by all the vRealize Automation VMs in your deployment.