VCF 3.9 – automate managing certificates for Cloud Foundation components using Ansible.

In VCF 3.9 we can manage certificates for all Cloud Foundation components, including configuring a certificate authority, generating and downloading CSRs, and installing them.

In this post i will show you how to configure Microsoft certificate authority and create and install certificates for the following components:

  • Platform Services Controllers
  • vCenter Server
  • NSX Manager
  • SDDC Managee
  • vRealize Log Insight
  • vRealize Operations

And of course we will use Ansible. Because there is no any module that could be used so we need to use API.

NOTE!!! Because it’s not possible to create and install certificates for all components simultaneously (some VCF limitation) we need to do that one by on using predefined list (with_items).

My vars looks like that:


And tasks: I created two tasks: createCerts.yml and restartVcfServices.yml

As I mentioned at the very beginning of this post, we will create and install certificates for all VCF components (defined in vars as ‘vcfResources’), so we need to use loop (with_items) in main.yml:

And tasks:

If CA is not yet configured, we can do that in that way:

So now let’s create CSR first:

When CSR is ready we can generate certificate:

Certificate generated successfully so we let’s install it.

And as you can see certificate for vRSLCM is installed. You can try to get to https://vRSLCM_FQDN and check if is installed correctly.

When all certificates are finally installed, the last step is to restart all SDDC Manager services after root certificate chain to the SDDC Manager keystore adding. Services are defined as ‘vcfServices’ in vars.

And the task looks like that:

That’s it. If you have any idea how to do that in much easier way i’ll be more than welcome to read about that.