VCF Certificate Management

 

An easy way to increase the security of an environment, and a common practice for most IT organizations, is to replace the self-signed certificates that are generated during installation with a certificate signed by the organization’s Certificate Authority (CA). VMware Cloud Foundation simplifies this process allowing customers to easily update and manage these certificates.

You can manage certificates for all external-facing Cloud Foundation component resources, including configuring a certificate authority, generating and downloading CSRs, and installing them. Cloud Foundation supports the use of Microsoft certificate authority, OpenSSL, and 3rd party certificate authorities.

You can manage the certificates for the following components.

  • vCenter Server
  • NSX Manager
  • SDDC Manager
 
Log in to SDDC Manager

Once the browser has launched follow these steps to log in.

  1. Enter https://<sddcfqdn>/ui in your browser
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: VMware123!
  4. Click the LOGIN button
 
Review Certificate Authority 

  1.  Expand the Security menu item in the left navigation window.
  2. Click the Certificate Authority sub-menu item.

As we can see the connection from SDDC Manager to the domains Certificate Authority has already been established.

 
Generate CSR

  1.  Click the Inventory menu item in the left navigation window.
  2. Click the Workload Domains sub-menu item.
  3. On the resulting screen, Click the mgmt-domain Domain link.

  1.  Select the Certificates Tab.
  2. Place a check in the box next to the SDDC Manager.
  3. Click on the GENERATE CSRS button.

NOTE: Review the current date that the certificate is valid through.

Generate CSR Wizard

Populate the fields in the CSR wizard with the following information.

Algorithm: RSA

Key Size: 2048

Email: sam@vcf.holo.lab

Organizational Unit: IT

Organization: Holodeck

Locality: Palo Alto

State: CA

Country: US

  1. Click NEXT

If you have any Subject Alternative Names you may enter them here. 

  1. Click NEXT

 
Generate Signed Certificate

  1.  Notice the green banner stating CSR Generation is successful.
  2. Ensure that SDDC MANAGER is still selected
  3. Now that the CSR has been generated, click the GENERATE SIGNED CERTIFICATES button.

  1. Select Microsoft as the Certificate Authority
  2. Click on the GENERATE CERTIFICATES button.

NOTE: This may take a minute or two to complete.  If you were using a 3rd party CA, you would click download CSR after step 1. to submit to the 3rd party Certificate Provider.

 
Certificate Generation Validation

 
Certificate Installation

  1. Place a check in the box next to the SDDC Manager
  2. Click INSTALL CERTIFICATES

Note: If the INSTALL CERTIFICATES button is not activated. Refresh the browser to get the latest update.

This process takes a couple of minutes to replace the certificate. Verify that the Certificate Installation Status for the SDDC Manager shows SUCCESSFUL.

Certificate Installation Validation

 
SSH to SDDC Manager 
  1. Launch Putty
  2. Enter sddc-manager IP (or) FQDN
  3. Click Open
 
Restart the SDDC Manager Services 

  1.  Enter PASSWORD when prompted for the password.
  2. Enter su to switch to the root user.
  3. Enter PASSWORD when prompted for a password.
  4. Enter the following command: sh /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
  5. Enter Y to proceed

Note: This may take a 1-2 minutes to complete. You should expect to see a message stating “Finished initiating restart for all SDDC Manager services”.

 
Log in to SDDC Manager

Once the browser has launched follow these steps to log in.

  1. Enter https://<sddcfqdn>/ui in your browser
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: VMware123!
  4. Click the LOGIN button
 
Verify Certificate Replacement

  1.  Select the lock icon
  2. Click on Connection is Secure

  1. Click Certificate is Valid

  1. Click on More Information

  1. Click on View Certificate

  1. Verify that the Valid to date is at least 2 years from the current date.
  2. Select the Serial Number. Note the number.
  3. Close browser tab.
 
Navigate to the Management Workload Domain

  1.  Select Workload Domains
  2. Select the mgmt-domain workload domain
 
Verify Cert Serial Number

  1. Click Certificates
  2. Expand the SDDC Manager

Note that the number matches.

Conclusion 

We have reviewed certificate replacement process in VCF. Using this process you can easily replace certificates from VMware Cloud Foundation and manage all certificates from centralized location.

Related Posts

Scroll to Top