• SDDC Manager automated daily hygiene health checks report failures. The SDDC Manager UI displays "Certificate check fails".
• Running the Supportability and Serviceability (SoS) tool health check command /opt/vmware/sddc-support/sos --health-check produces a result.json containing the following failures:

{
                "name": "SDDC_MANAGER_FQDN.example.com",
                "status": "FAILED",
                "message": "Certificate validation is failed for SDDCMANAGER:SDDC_MANAGER_FQDN.example.com. If Certificate End date is 15 days or less, SoS will show result as failed.Certificate expires in 8 day(s).",
                "errors": "Certificate validation is failed for SDDCMANAGER:SDDC_MANAGER_FQDN.example.com. If Certificate End date is 15 days or less, SoS will show result as failed.Certificate expires in 8 day(s)."

                   } 

• Similar errors may be reported for other components, such as vCenter Server: "message": "Certificate validation is failed for VC:<VC_HOSTNAME>. If Certificate End date is 15 days or less, SoS will show result as failed.Certificate expires in 9 day(s).

VMware Cloud Foundation 5.x

The SDDC Manager health check and SoS tool have a hardcoded threshold that triggers a "FAILED" status if a component certificate is within 15 days of its expiration date or has already expired.

To resolve the health check failure, you must rotate or replace the expiring certificates for the specific components identified in the SoS report.

1. Log in to the SDDC Manager UI.

2. Navigate to Administration > Certificate Management.

3. Identify the components with status "Expiring Soon" or "Expired".

4. Select the component and follow the standard VCF workflow to Generate CSR and Install Certificate.

5. After successful installation, re-run the SoS health check to verify the "PASSED" status: /opt/vmware/sddc-support/sos --health-check

Certificate Management for VMware Cloud Foundation