Comprehensive and Detailed Explanation from VMware Cloud Foundation 9.0 Documentation:
According to VMware Cloud Foundation 9.0 Design Guide (Table 59, “Certificate Management Design Recommendations”), VMware explicitly mandates that “Use a SHA-2 algorithm or higher for signed certificates. The SHA-1 algorithm is considered less secure and has been deprecated.” This recommendation (VCF-SEC-RCMD-CERT-002) is a foundational part of securing communication between management components and workload domains across the VCF environment.
The use of SHA-2 or higher ensures that all certificates used for SSL/TLS communication within the SDDC ecosystem (including vCenter, NSX Manager, and SDDC Manager) meet modern cryptographic standards to prevent vulnerabilities such as collision attacks. VMware Cloud Foundation enforces certificate management policies that require replacement of default VMCA-signed certificates with CA-signed certificates, and the SHA-2 algorithm ensures cryptographic integrity, authenticity, and resistance to tampering or impersonation.
This configuration directly satisfies the customer’s requirement for secure communication in the logical design of the workload domain. It ensures data in transit between components—such as management clusters, workload domains, and external systems—remains encrypted and trustworthy, aligning with VMware’s zero-trust and compliance-focused architectural principles.
References (VMware Cloud Foundation 9.0.1 Architecture Guide):
Table 59: Certificate Management Design Recommendations — “VCF-SEC-RCMD-CERT-002 Use a SHA-2 algorithm or higher for signed certificates.”
VMware Cloud Foundation 9.0.1 PDF, pp. 306–308, 376, and 592 (Certificate Management Design Recommendations Sections).
VMware Cloud Foundation Security Governance and Compliance Design Section (VCF-SEC-RCMD-CERT-002).
