Replace SDDC Manager cert with VMCA-Signed

Laraib Kazi
Script to replace SDDC Manager certificate with a VMCA Signed Certificate

The SDDC Manager offers two options to replace certificates for itself and the other BoM components in a VCF Environment: Microsoft CA or OpenSSL CA.

A built-in option to replace the component certificates using a VMCA Signed Certificate, from the Management WLD vCenter Server is not available. While we do have some manual steps to replace the component certificates with a VMCA signed cert for the other components, there really isn't a readily available option to do this for the SDDC Manager itself.

Additionally, if the SDDC Manager certificate is expired then, we cannot leverage the functionality of the SDDC Manager to replace any certificates (whether using the UI or the API) till its certificate is renewed manually, to bring its services back online.

To that end, I've written a script to automate this entire process. This python script is run as root on the SDDC Manager. The script performs the following operations:

  • Create a local CSR and Private Key on the SDDC Manager
  • Using the CSR, get a VMCA Signed Certificate from the Management WLD vCenter Server
  • Apply the Certificate on the SDDC Manager
  • Restart the nginx service on the SDDC Manager
  • Confirm that we are seeing the applied cert on port 443

The script is available on my Github here.

To run the script, copy it over to the SDDC Manager, SSH to it as the vcf user and then su to root, and run the command:

Screenshot of the Script Execution