In this design, you replace user-facing certificates with certificates that are signed by a Microsoft Certificate Authority (CA). By default, virtual infrastructure management components use TLS/SSL certificates that are signed by the VMware Certificate Authority (VMCA). These certificates are not trusted by end-user devices.

Infrastructure administrators connect to different SDDC components, such as vCenter Server systems or a Platform Services Controller from a Web browser to perform configuration, management and troubleshooting. The authenticity of the network node to which the administrator connects must be confirmed with a valid TLS/SSL certificate.

You can use other Certificate Authorities according to the requirements of your organization. You do not replace certificates for machine-to-machine communication. If necessary, you can manually mark these certificates as trusted.

1

Management vCenter Server

2

Management NSX Manager

3

Compute vCenter Server

4

Compute NSX Manager

5

vSphere Data Protection

1

After you replace the Platform Services Controller certificate, you replace the vCenter Server machine SSL certificate.  You generate a vCenter Server certificate manually or by using the CertGenVVD tool.

2

After you replace the certificates of all Platform Services Controller instances and all vCenter Server instances, replace the certificates for the NSX Manager instances. 

3

After you use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates for the SDDC management components, replace the default VMware-signed certificate on vSphere Data Protection in Region A with the certificate that is generated by CertGenVVD.