It is recommended that you replace all components right after deploying Cloud Foundation. After you create workload domains, you can replace certificates for the appropriate components.
Prerequisites
Create a configuration file that contains certificate information for your organization. Using this configuration file, the tool generates a file package that contains a configuration file for the VMs in each Cloud Foundation component.
You can specify the components for which you want to replace certificates in the configuration file. It is recommended that you replace all certificates immediately after you deploy Cloud Foundation. Subsequently, you can replace certificates for a subset of components, as appropriate.
Note: For information on creating a configuration file, please see the "Example Configuration File for Certificate Replacement After Deployment" in the VMware Cloud Foundation Admin Guide.
To create the configuration file package:
Using the root credentials, SSH in to the SDDC Manager Controller VM.
If you have not already done so, copy the configuration file to a directory on the SDDC Manager Controller VM, for example; /tmp/cert-config.json.
Navigate to /opt/vmware/cert-mgmt/bin.
Run the following command:
./vcfcerthelper --config_file config.json --cert_dir cert-output --action build-certgen-config
The file package for the Certificate Generation Tool is created in the specified directory. The tool also creates a zip file of the directory contents in the parent directory.
With the Certificate Generation utility, you can either create certificates signed by Microsoft Windows, or create a certificate signing request for a third-party CA.
Note: There is a known security risk when copying key pairs and certificates to the /root/certs directory because it is not FIPS compliant.
Use a file transfer utility to copy the file package zip file from the SDDC Manager Controller VM to the Windows host.
Extract the contents of the zip file on the Windows host. The CertGenVVD-*.ps1 file is included in the extracted files.
Navigate to the directory where you extracted the contents of the zip file.
Run one of the following commands in PowerShell:
To create a Microsoft Windows signed certificate, run the following command:
CertGenVVD-3.0.ps1 -MSCASigned -attrib 'CertificateTemplate:VMware' -inter
To create a certificate signing request for a third-party CA, run the following command.
CertGenVVD-3.0.1.ps1 -CSR
Type a password for the key file. A folder named SignedByMSCACerts is created.
Zip the contents of the SignedByMSCACerts folder.
Use a file transfer utility to copy the SignedByMSCACerts zipped folder to the SDDC Manager Controller VM in the /opt/vmware/cert-mgmt/bin directory.
Navigate to the /opt/vmware/cert-mgmt/bin directory and unzip the SignedByMSCACerts folder.
Package the generated key pairs, CA-signed certificates, and CA chain to prepare them for the certificate replacement tool.
Note: If the key files are password protected, you must have the password. All password-protected key files must have the same password.
Please follow these step to build the file package:
Using the root credentials, SSH in to the SDDC Manager Controller VM.
In the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM, type the following command.
./vcfcerthelper --config_file config.json --cert_dir SignedByMSCACerts --password 'psswd' --action build-certrepl-config --enable_ssl_passthrough
The file package is created in the same directory that contains the CA signed certificates.
Complete the following to backup the TrustStores for vCenter Server, Platform Services Controllers, and SDDC Manager Controller VM.
In the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM, type the following command.
./vcfcerthelper --action list-ca --cert_dir truststore-backup-day-1
Take a snapshot of Cloud Foundation components, the certificate configuration tool has a built-in feature to create these snapshots.
In the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM, type the following command.
./vcfcerthelper --config_file config.json --action create-snapshot
Note: This requires that the certificate have a valid date of at least 24 hours prior.
After the snapshots have been taken, replace the certificates with the signed certificates you generated.
Navigate to the /opt/vmware/cert-mgmt/bin directory of the SDDC Manager Controller VM.
Run the following command.
/usr/java/jre-vmware/bin/java -Djsse.enableSNIExtension=false -jar /opt/vmware/cert-mgmt/lib/certreplace-0.0.1-SNAPSHOT.jar -config SignedByMSCACerts/config-vcf.json
Note: If there are any VDI workload domains in the environment, see the "Re-trust VDI Workload Domains" section in the VMware Cloud Foundation Admin Guide.
Access the SDDC Manager Dashboard to verify that the new certificates work.
In a web browser, login to the SDDC Manager Dashboard to verify that it displays correctly: https://IP-FQDN:8443/vrm-ui.
Launch vCenter Server Web Client to verify that it displays correctly.
If vRealize Operations is deployed, login to vRealize Operations and verify that all adapters are collecting data. Some adapters may display an error until the next collection cycle.
If you replaced certificates for specific components, you must verify trust. To do so:
SSH in to the SDDC Manager Controller VM.
Navigate to the /opt/vmware/cert-mgmt/bin/vcfcerthelper directory.
Type the following command:
./vcfcerthelper --action verify-trust --cert_dir dir
After certificates have been replaced successfully, delete the snapshots.
Note: Only delete the Cloud Foundation snapshots after certificates have been successfully replaced.
In the /opt/vmware/cert-mgmt/bin/vcfcerthelper directory of the SDDC Manager Controller VM, type the following command.
./vcfcerthelper --config_file config.json --action remove-snapshot