Region B Certificate Replacement
After you first replace the certificates in Region A, you continue with the certificate replacement on the components in Region B.
- Create and Add a Microsoft Certificate Authority Template in Region B The first step in certificate generation and replacement is setting up a Microsoft Certificate Authority template through a Remote Desktop Protocol session. After you have created the new template, you add it to the certificate templates of the Microsoft CA.
- Use the Certificate Generation Utility to Generate Certificates Automatically in Region B You can use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate signed certificates that you can import to the SDDC management products in Region B. You can then import the certificates to these components to maintain secure connection to the external network and between the components themselves.
- Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region B Create certificate signing requests for the management components in the SDDC and send them a certificate authority, such as the Microsoft AD server in Region B, for getting a signed component certificate.
- Generate CA-Signed Certificates for the SDDC Management Components in Region B When you replace the default certificates of the SDDC management products, you can manually generate certificate files that are signed by the intermediate Certificate Authority (CA).
- Replace Certificates of the Management Products in Region B After you generate a certificate for a management product in Region B that is signed by the certificate authority on the parent or child AD server in the region, replace the default certificate or an expired certificate with newly-signed one on the product instance in the region..