Renewing self signed certificates of vCenter via SDDC manager with Open SSL integration.
Article ID: 416177
Updated On:
Products
Issue/Introduction
- Provides steps to renew the vcenter server certificates on the SDDC manager.
- vCenter Server certificates in Management or Workload domains are nearing expiration.
- SDDC Manager dashboard displays certificate expiration alarms.
Environment
VMware Cloud Foundation (VCF) 5.x
VMware Cloud Foundation (VCF) 9.0
Resolution
To renew vCenter self-signed certificates using the integrated OpenSSL Certificate Authority (CA) workflow in SDDC Manager, follow these steps:
Note: Ensure all vCenter Servers in the linked-mode group have powered-off snapshot or a verified file-level backup.
1. Generate Certificate Signing Requests (CSRs)
- Log in to the SDDC Manager UI.
- In the navigation pane, click
Inventory > Workload Domains - Click the name of the target workload domain.
- Click the
Certificatestab. - Select the check box for the vCenter resource type where the certificate renewal is to be perrformed.
- Click
Generate CSRs. - Follow the wizard to configure details and click **
Generate CSRs**.
2. Generate Signed Certificates.
Note:Make sure the "openssl" certificate authority is configured: Configure OpenSSL-signed Certificates in SDDC Manager
- From the same Certificates tab, select the check box for the vCenter resource again.
- Click
Generate Signed Certificates. - In the wizard, select
OpenSSLfrom the SelectCertificate Authoritydrop-down menu. - Click **
Generate Certificates**.
3. Install Certificates
- From the Certificates tab, select the check box for the vCenter resource.
- Click
Install Certificates. - Monitor the task progress in the SDDC Manager dashboard until completion.
Confirm the vCenter certificate status is marked as **Valid** in the SDDC Manager UI and the vCenter server certificates are now updated.
Additional Information
For Custom Certificate Renew/Install steps:
1. Microsoft CA Certificates
- To renew vCenter certificate with Microsoft CA, above steps are valid however for above step 2, but instead of selecting "openssl", select the Microsoft CA from the drop down menu.
Note: You must have a Microsoft CA configured as outlined in following documentation prior to above steps to complete this: Install Microsoft CA-Signed Certificates using SDDC Manager
2. Other Custom CA Certificate
- For other Custom CA certificate renewal, please see following article on the steps: Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle
Feedback
