1. SSH to SDDC Manager with vcf and su to root
   
   
2. Generate the CSR on the SDDC Manager by executing the command below. It's recommended to run this command from the /home/vcf directory:
   
   openssl req -new -newkey rsa:2048 -nodes -keyout sddc-manager.example.com.key -out sddc-manager.example.com.csr
3. Retrieve the generated sddc-manager.example.com.csr from SDDC manager using a file transfer utility, like WinSCP
   
   
4. Use the csr file to generate a signed certificate from the 3rd party CA manually.
   
   
5. Copy the new certificate to SDDC Manager.
   
   
6. Backup and replace the private key (/etc/ssl/private/vcf_https.key) and the certificate (/etc/ssl/certs/vcf_https.crt)
   
   
7. Make sure the permissions of the certificate and key files are as below
   
   # ls -l /etc/ssl/certs/vcf_https.crt
  -rw-r--r-- 1 root root  /etc/ssl/certs/vcf_https.crt
# ls -l /etc/ssl/private/vcf_https.key
  -rw-r----- 1 root root  /etc/ssl/private/vcf_https.key
   
   
8. Restart NGINX services:
   
   nginx -t && systemctl reload nginx
   
   
9. Add the Custom CA certificate signing the new certificate to the SDDC Manager truststore by following the steps in https://knowledge.broadcom.com/external/article/316056/how-to-adddelete-custom-ca-certificates.html 

Replacing SDDC certificates with VMCA