• A new root CA certificate is generated every time if you renew the certificate in SDDC Manager.
• Certificate Authority type is OpenSSL.
• Before renewing the certificate, you click Edit > Save to verify the Certificate Authority settings.

Saving the Certificate Authority settings in the SDDC Manager UI always triggers the deletion of the existing root CA certificate (ca.crt). Therefore, if a certificate renewal task is performed, a new root certificate for signing is generated. This occurs even when the settings are saved without any modifications.

root@sddc01 [ /opt/vmware/vcf/operationsmanager/certificates/openssl-ca ]# ls -l
total 52
-rwxr-x--- 1 vcf_operationsmanager vcf 2185 Mar 14  2024 ca.cnf
-rw-r--r-- 1 vcf_operationsmanager vcf 2260 Sep  4 05:53 ca.conf
-rw-r--r-- 1 vcf_operationsmanager vcf 2204 Sep  4 05:53 ca.crt　<============ This file will be deleted after save settings in Certificate Authority
-rw------- 1 vcf_operationsmanager vcf 3272 Sep  4 05:53 ca.key
-rw-r--r-- 1 vcf_operationsmanager vcf  190 Sep  4 06:31 index.txt
-rw-r--r-- 1 vcf_operationsmanager vcf   20 Sep  4 06:31 index.txt.attr
-rw-r--r-- 1 vcf_operationsmanager vcf   20 Sep  4 05:53 index.txt.attr.old
-rw-r--r-- 1 vcf_operationsmanager vcf   95 Sep  4 05:53 index.txt.old
drwxr-xr-x 2 vcf_operationsmanager vcf 4096 Sep  4 06:31 newcerts
-rwxr-x--- 1 vcf_operationsmanager vcf 2263 Mar 14  2024 openssl.cnf
-rw-r--r-- 1 vcf_operationsmanager vcf 2319 Sep  4 05:53 openssl.conf
-rw-r--r-- 1 vcf_operationsmanager vcf   17 Sep  4 06:31 serial
-rw-r--r-- 1 vcf_operationsmanager vcf   17 Sep  4 05:53 serial.old

Below log is indicated that new root certificate is generated.
-operationmanager.log

YYYY-MM-DDT05:53:29.817+0000 DEBUG [vcf_om,68b929597110730af4e81dc14bc2d572,7799] [c.v.e.s.c.util.LocalProcessService,om-exec-22] Executing the Local command: openssl req -new ***** -out /opt/vmware/vcf/operationsmanager/certificates/openssl-ca/ca.crt -config /opt/vmware/vcf/operationsmanager/certificates/openssl-ca/ca.conf -days 3650