Blog Date: July 11, 2024

In VMware Cloud Foundation 4.5.1, managing certificates of the Aria Suite LCM, NSX, VXRAIL, and vCenter Certificates should be done via the SDDC manager, so that it trusts the components certificate. The official documentation on how to do it can be found here -> Manage Certificates in a VMware Cloud Foundation.

In some cases however, certificates can be replaced/updated outside of the SDDC manager either due to a lack of understanding, or in emergency situations where certificates expired. In either of those situations, the certificate must be imported into the trusted root store on the SDDC manager appliance to re-establish trust to those components. Otherwise, SDDC manager will not function as intended.

Official knowledge base article can be found here -> How to add/delete Custom CA Certificates to SDDC Manager and Common Services trust stores.

The following steps can be used to update the SDDC Manager trust store with the new NSX certificate.

1. IMPORTANT: Take a snapshot of the SDDC Manager virtual machine. **Don’t Skip This Step**
   
2. Use a file transfer utility to copy the new NSX certificate file to the /tmp directory on the SDDC Manager.
3. Establish an SSH connection to the SDDC Manager as the VCF user, and then issue the su – command to switch to the root user.
4. Obtain the trusted certificates key by issuing the following command:
   
   cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key
   
   Note: You will see output similar to the following:
   
   p_03ZjNI7S^B7V@8a+
   
5. Next, Issue a command similar to the following to import the new NSX-T certificate into the SDDC Manager trust store:
   
   keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store --storepass <trust store key>
   
   Notes:
   • Type yes when prompted to trust the certificate.
   • Enter something meaningful, like sddc-mgmt-nsx for the <aliasname> value.
   • Replace <certificate file> with the full path to the certificate file that was uploaded in Step 2.
   • Replace <trust store key> with the trusted certificates key value returned in Step 4.
     
     
6. Issue a command similar to the following to import the new NSX-T certificate into the java trust store. Here the storepass is changeit:
   
   keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
   
   Notes:
   • Type yes when prompted to trust the certificate.
   • Replace <aliasname> with the meaningful name chosen in Step 5.
   • Replace <certificate file> with the full path to the certificate file that was uploaded in Step 2.
     
7. Issue a command similar to the following to verify that the new NSX-T certificate has been added to the SDDC Manager trust store:
   
   keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass <trust store key>
   
   Note: 
   • Replace <trust store key> with the trusted certificates key value returned in Step 4.
     
8. Issue the following command to restart the SDDC Manager services:
   
   /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
   
9. (Optional): You can utilize the SDDC manager SOS utility to check the health of the newly imported NSX-T certificate with the following command:
   
   /opt/vmware/sddc-support/sos --certificate-health --domain-name ALL
   
   Tip:
   For more information on the sos utility, check out the documentation here: -> SoS Utility Options (vmware.com)
   
10. If everything checks out, remove the snapshot that was taken prior to starting this procedure.