VMware Cloud Foundation Certificate Management¶
This section provides information on how to use the PowerShell module for VMware Cloud Foundation Certificate Management to manage certificates for SDDC Manager and workload domain components with the exception of ESXi hosts in your VMware Cloud Foundation instance.
Configuring the Certificate Authority for SDDC Manager¶
The Set-VCFCertificateAuthority configures Microsoft Certificate Authority or OpenSSL Certificate Authority as SDDC Manager's Certificate Authority.
Configuring the Microsoft Certificate Authority for SDDC Manager¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $certAuthorityFqdn = "rpl-ad01.rainpole.io" $certAuthorityUser = "svc-vcf-ca" $certAuthorityPass = "VMw@re1!" $certAuthorityTemplate = "VMware" -
Configuring the Certificate Authority for SDDC Manager by running the command in the PowerShell console.
Set-VCFCertificateAuthority -certAuthority Microsoft -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -certAuthorityFqdn $certAuthorityFqdn -certAuthorityUser $certAuthorityUser -certAuthorityPass $certAuthorityPass -certAuthorityTemplate $certAuthorityTemplate
This example will configure Microsoft Certificate Authority rpl-ad01.rainpole.io in SDDC Manager.
Configuring the OpenSSL Certificate Authority for SDDC Manager¶
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $commonName = "sfo-vcf01.sfo.rainpole.io" $country = "US" $locality = "San Francisco" $organization = "Rainpole" $organizationUnit = "Platform Engineering" $stateOrProvince = "CA" -
Configuring the Certificate Authority for SDDC Manager by running the command in the PowerShell console.
Set-VCFCertificateAuthority -certAuthority OpenSSL -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -commonName $commonName -organization $organization -organizationUnit $organizationUnit -locality $locality -state $stateOrProvince -country $country
This example will configure an OpenSSL Certificate Authority in SDDC Manager.
Request a Certificate Signing Request for a Workload Domain¶
The Request-VCFCsr cmdlet will request SDDC Manager to generate and store certificate signing request files.
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" $country = "US" $locality = "San Francisco" $organization = "Rainpole" $organizationUnit = "Platform Engineering" $stateOrProvince = "CA" $outputDirectory = "F:\CSR\" $keySize = "3072" $email = "admin@rainpole.io" -
Request Certificate Signing Request files by running the command in the PowerShell console.
Request-VCFCsr -sddcManager -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain -Country $country -keySize $keySize -Locality $locality -Organization $organization -OrganizationUnit $organizationUnit -StateOrProvince $stateOrProvince -email $email
This example will request SDDC Manager to generate certificate signing request files for all components associated with the given workload domain.
Request Certificate Authority Signed Certificates for a Workload Domain¶
The Request-VCFSignedCertificate will request SDDC Manager to connect to the certificate authority to sign the generated certificate signing request files for all components associated with the given workload domain
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" -
Request Certificate Authority Signed Certificates for a workload domain by running the command in the PowerShell console.
Request-VCFSignedCertificate -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -workloadDomain $workloadDomain -certAuthority Microsoft
This example will connect to SDDC Manager to request to have the certificate signing request files for a given workload domain to be signed by Microsoft CA
Installing and Replacing Certificate Authority Signed Certificates for a Workload Domain¶
The Install-VCFCertificate cmdlet installs the signed certificates for all components (except ESXi hosts) associated with the given workload domain.
-
Start PowerShell (Run as Administrator).
-
Replace the values in the sample code with values for the instance of VMware Cloud Foundation and run the commands in the PowerShell console.
Example:
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "admin@local" $sddcManagerPass = "VMw@re1!VMw@re1!" $workloadDomain = "sfo-m01" -
Install a Certificate Authority Signed Certificates for SDDC Manager and the workload domain components by running the command in the PowerShell console.
Install-VCFCertificate -sddcManager -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $workloadDomain