The error 'Failed to load Certificate Signing Requests. Unable to get CSR' occurs within the SDDC Manager Certificate Management UI during the installation of a custom CA-signed certificate for a Workload Domain.

 

Investigation confirms the certificate was likely generated externally. Because the SDDC Manager workflow was bypassed, no matching CSR exists in the database to complete the upload. Pre-check failed due to this workflow mismatch.

The certificate installation fails because the Generate CSRs workflow was never triggered within the SDDC Manager UI for the specific vCenter resource.

In VMware Cloud Foundation, the SDDC Manager must act as the primary orchestrator for certificate lifecycle management. If a CSR is generated externally, the SDDC Manager does not possess the matching private key associated with the certificate. Without this private key residing securely on the appliance, the SDDC Manager cannot complete the cryptographic handshake or manage future automated rotations. Consequently, the UI blocks the external certificate installation to prevent a broken certificate chain and loss of management connectivity.

Follow the standard VCF automated workflow for certificate replacement using a Custom/External Certificate Authority (CA) (Refer Tech docs Managing Certificates in VMware Cloud Foundation.

Pre-requisites: Take offline snapshots of the SDDC Manager VM and the target vCenter Server before proceeding with certificate operations.

Step 1: Generate the CSR (Certificate Signing Request)

1. Log in to the SDDC Manager UI.
2. Navigate to Inventory > Workload Domains and select the Workload Domain containing the vCenter.
3. Go to the Certificates tab.
4. Select the vCenter Server component and click Generate CSR.
5. Fill out the required fields (FQDN, Organization, etc.) and download the generated CSR file.

Step 2: Sign the Certificate

1. Take the downloaded CSR to internal/external CA.
2. Have the CA sign the request and provide with the Base64-encoded PEM certificate chain (this must include the vCenter certificate + the CA Root/Intermediate certificates).

Step 3: Upload and Install

1. Return to the Certificates tab in SDDC Manager.
2. Select the vCenter Server and click Upload and Install Certificate.
3. Paste or upload newly signed PEM certificate chain.
4. SDDC Manager will trigger a workflow task to orchestrate the installation on the vCenter and restart the required services.
5. Validation: Monitor the task in the SDDC Manager tasks pane. The vCenter services will restart automatically once the push is successful.

Following the native SDDC Manager workflow ensures that the private key is securely stored in the SDDC Manager database. This adheres to the single management model, ensuring that the vCenter remains synchronized with the SDDC Manager’s inventory. Retaining the private key within SDDC Manager is strictly required for successful automated renewals, password rotations, and future environment expansions.