The SDDC Manager offers two options to replace certificates for itself and the other BoM components in a VCF Environment: Microsoft CA or OpenSSL CA.

A built-in option to replace the component certificates using a VMCA Signed Certificate, from the Management WLD vCenter Server is not available. While we do have some manual steps to replace the component certificates with a VMCA signed cert for the other components, there really isn't a readily available option to do this for the SDDC Manager itself.

Additionally, if the SDDC Manager certificate is expired then, we cannot leverage the functionality of the SDDC Manager to replace any certificates (whether using the UI or the API) till its certificate is renewed manually, to bring its services back online.

To that end, I've written a script to automate this entire process. This python script is run as root on the SDDC Manager. The script performs the following operations:

• Create a local CSR and Private Key on the SDDC Manager
• Using the CSR, get a VMCA Signed Certificate from the Management WLD vCenter Server
• Apply the Certificate on the SDDC Manager
• Restart the nginx service on the SDDC Manager
• Confirm that we are seeing the applied cert on port 443

The script is available on my Github here.

A VCF Environment consists of multiple components, including but no limited to vCenter Server, ESXi, NSX, vSAN, the Aria Suite Products etc. Depending on the size of the VCF environment, and the number of workload domains present in it, the inventory of the components and their versions can get out-of-hand.

SDDC Manager, in its current state, is unable to dynamically query and update its inventory state information, particularly when it comes to tracking the versions of the various BoM components.

A rather easy way to update this inventory information is using the --performInventorySync option available in the Async Patch Tool.

With the announcement of End of Availability of Perpetual Licensing and SaaS services for VMware by Broadcom services and the release of VMware Cloud Foundation 5.1.1, VCF components can now use a single solution license instead of individual component licenses.

As mentioned in the VCF 5.1.1 release notes:

Solution Licensing: The component products of VCF can now derive their entitlements from a single solution license key (except for vSAN, which still requires a separate license). Individual component license keys continue to be supported. Use the vSphere Client to apply the solution license or the SDDC Manager UI to apply individual component licenses.

With the increasing growth and constant evolution of the VMware product stack, troubleshooting all the components and services involved is no simple feat. One of the most useful tools for getting a head start in the troubleshooting process is the VCF Diagnostic Tool (VDT).

VDT (developed and built by VMware Support) is a utility designed to run a series of comprehensive checks live on a target appliance. In its current state, VDT supports the vCenter Server and SDDC Manager appliances.

Depending on where its run, VDT analyzes the appliance and/or environment configuration , performing a series of checks to identify potential issues or inconsistencies. It presents results in a user-friendly format, categorizing findings as PASS, WARN, or FAIL, along with informative INFO messages. The goal is to offer real-time diagnostic information, enabling administrators to proactively address any issues that it catches.

VDT is exclusively read-only. While the tool runs several commands and API calls to gather and analyze data, it does not make any changes to the environment. This ensures that admins can rely on the diagnostic insights without worrying about unintended or unscheduled modifications. Detailed logs from each run of the utility are generated and stored within the appliance, and automatically collected as a part of each appliance support bundle.