This blog is a walkthrough of replacing your vcenter, sddc manager and nsx-t certificates using a sddc manager using a Microsoft certificate authority. You can do it a couple of ways one is to add the certificate authority to sddc manager or to update it manually, the below process is manually.

Login to sddc manager

Expand inventory > click workload domains > click mgmt-domain

Click the security tab > select all the certificates > click generate csrs

Fill in the details below with your details and click next

IP addresses are optional, click next

Click generate csrs

Click download csr

Extract the GZ download (I used 7zip)

Extract the TAR file

The folder name will be the same as your domain name in sddc manager

Inside the folder there will a folder for each server, including any vips for nsx-t
Inside each of the folders there will be a csr for you to sign with your certificate authority
You need to repeat the following process of signing your csrs with your certificates authority for each server
Login to your Microsoft certificate authority web enrolment page
Click request a certificate
Click advanced certificate request

Paste the first csr content into saved request

Change your certificate template to the “VMware” one and click submit
The first one you download, download the certificate chain. The others you can just download the certificate, this is so you can obtain the root and intermediate certificates if any.

Repeat the process for the other csr’s and download only the certificates. Put the certificates downloaded in the folders representing their name

Open the certificate that you download with the full chain to extract certificate & root & intermediate certificates (if any intermediates)

Right click the root certificate > all tasks > click export

In my lab I only have the root and not the intermediate certificate

Click next

Select base-64 encoded x.509 and click next

Save it in the workload domain folder with the other folders

Click next

Click finish

Click ok

Export the server certificate

Right click server certificate > all tasks > Click export

Click next

Select base-64 encoded x.509 and click next

Save it in the folder representing it (same location as the csr) Click next

Click finish

Click ok

Rename all the.cer file to .crt, including the rootca. You can use the following command if that helps makes things easier “ren *.cer *.crt” from command prompt

example below

Rename all the crt files to their representing FQDN it should match csr name, the root certificate needs to be named rootca.crt

Within the server folders only the crt and csr should exist

Example format

rootca.crt format

Copy the domain folder to the root directory of your computer

Open command prompt as an administrator and run the following command to convert the folder as a tar.gz file

The domain name should match what is in sddc manager

tar -czvf mgmt-domain.tar.gz “C:\mgmt-domain”

Output should look like this

Go back to sddc manager and click upload and install certificates

Browse to the tar.gz file and click upload

Click install certificate

Done

Completed

Problems

1. Sometimes the certificate gets corrupted so when you import through sddc you might get the following error

Failed to upload Certificates. Expected one server certificate in vcenter-mgmt.sddc.vcf.lab but found 0.

So check the certificate by opening it in notepad make sure it is not in gibberish

2.Sometimes when the certificate is signed, they do not use the VMware template that is documented from the VMware site so it might fail uploading

3.Sometimes they don’t complete all the activities to create the VMware template documented so the installation of the certificate might fail.

4.If you want to bypass the certificate validation you can do the following on sddc manager cli

Login to sddc manager via ssh

su

vi /home/vcf/feature.properties

copy the below content in the file

feature.vcf.operationsmanager.certificatemanagement.csr_server_cert_content_validation=false

chmod 755 feature.properties

cat feature.properties

feature.vcf.operationsmanager.certificatemanagement.csr_server_cert_content_validation=false

systemctl restart operationsmanager

wait 5 minutes before logging back to sddc manager

5.Creating a VMware template for Microsoft certificate authority

https://docs.vmware.com/en/VMware-Cloud-Foundation/4.4/vcf-admin/GUID-10D1148B-59F4-4786-B226-250A012B834B.html

By Kader