vcf certificates pki tls
Post-Deployment: Certificates
Configure the Microsoft CA in Fleet Manager, generate CSRs for all VCF components, and deploy signed certificates across the stack.
Pre-requisite: Windows AD and ADCS must be deployed. See Windows AD Deployment. Identity & SSO should be configured first — see Post-Deployment: Identity & SSO.
Configure the Certificate Authority
Under Fleet Management → Certificates, select Configure CA:
| Field | Value |
|---|---|
| CA Server URL | https://winsrv1.pgnet.local/certsrv |
| User Name | svc-vcf-ca@pgnet.local |
| Password | VMware123!VMware123! |
| Template Name | VMware |
Do it for both VCF Management and the VCF instance
Generate and Deploy Certificates
For each VCF component, select the TLS Certificate type → ... → Generate CSR.
Example parameters for fleet.pgnet.io:
| Parameter | Value |
|---|---|
| Common Name | fleet.pgnet.io |
| Organization | pgnet |
| Organizational Unit | PGGB |
| Country | Australia |
| State/Province | Queensland |
| Locality | Brisbane |
| Email Address | admin@pgnet.io |
| Host | fleet.pgnet.io |
| Subject Alternative Name | fleet.pgnet.io |
| Key Size | 4096 |
Workflow
- Use SDDC Manager to generate CSRs for SDDC Manager, vCenter, and NSX Manager.
- Submit CSRs to the Microsoft CA.
- Import the signed certificates back into SDDC Manager.
- Execute the Replace Certificates workflow to propagate trust across the stack.
Certificate Status Reference
| Name | Hostname | Status | Issuer | Expiration | Type |
|---|---|---|---|---|---|
| Fleet Management | fleet.pgnet.io | Active | Microsoft CA | 12 Feb 2028 | TLS Certificate |
| VCF Automation | pgauto-w2npg | Active | Self Signed CA | 4 Feb 2028 | TLS Certificate |
| VCF Operations | ops.pgnet.io | Active | Self Signed CA | 4 Feb 2028 | TLS Certificate |
The CA root certificate must also be added to any host computer accessing these devices to avoid browser trust warnings.