Region A Certificate Replacement
You first replace the certificate in Region A. As the protected region, it contains the main management components of the SDDC.
- Create and Add a Microsoft Certificate Authority Template You create a Microsoft Certificate Authority Template to contain the certificate authority (CA) attributes for signing certificates of VMware SDDC solution.
- Use the Certificate Generation Utility to Generate Certificates Automatically in Region A You can use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate signed certificates for all management components of this design in Region B. You can then import the certificates to these components to maintain secure connection to the external network and between the components themselves.
- Generate Manually Key Pairs and Certificate Signing Requests for the Management Components in Region A Create certificate signing requests for the management components in the SDDC and send them a certificate authority, such as the Microsoft AD server in Region A, for getting a signed component certificate.
- Generate CA-Signed Certificates for the SDDC Management Components in Region A When you replace the default certificates of the SDDC management products, you can manually generate certificate files that are signed by the intermediate Certificate Authority (CA).
- Replace Certificates of the Management Products in Region A After you generate a certificate for a management product in Region A that is signed by the two-layered certificate authority on the child AD server in the region, replace the default certificate or an expired certificate with newly-signed one on the product instance in the region.