VMware has greatly reduced the complexity by implementing the VMware Certificate Authority (VMCA) and the VMware Endpoint Certificate Store (VECS). For more information about the VMCA and VECS, see these articles:
- VMCA and VMware Core Identity Services section in the:
- VMware Endpoint Certificate Store Overview section in the:
This article provides documentation links to provide guidance on configuring certificates on vSphere components in an environment. This article also assumes that all components are installed and running currently with VMware-signed or third party CA-signed certificates.
Note: VMware does not support the use of wildcard certificates.
Ensure that you validate each step given here. Each step provides instructions or a link to a document that provides information on configuring the certificates in your environment.
Core vSphere components
The vSphere Certificate Manager utility provides all workflows to replace or regenerate the Machine SSL Certificate, Solution User Certificates and the VMCA Root Signing Certificate on the vCenter Server and Platform Services Controller. For more information, see Understanding and using vSphere 6.x Certificate Manager (2097936).
With this release, VMware has provided customers with 2 ways to implement third-party CA-signed certificates. Customers may choose to utilize VMCA of the Platform Services Controller and replace it with a signing certificate from their own Private Key Infrastructure (PKI) to allow it to act as a subordinate CA for their vSphere environment. Customers may also choose to not use the VMCA, and to simply replace their certificates from their own PKI.
Replacing Certificates without</u> using VMCA of the Platform Services Controller
For more information, see:
- Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x (2112009)
- Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
- Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)
- Replacing the vSphere 6.x Solution Users certificates with a Custom Certificate Authority signed certificates (2112278)
- After replacing the vCenter Server certificates in VMware vSphere 6.x, the ESX Agent Manager solution user fails to log in (2112577)
- vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)
Replacing VMCA of the Platform Services Controller with a Subordinate Certificate Authority Certificate
For more information, see:
- Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x (2112009)
- Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority (2147542)
- Obtaining vSphere certificates from a Microsoft Certificate Authority (2112014)
- Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate (2112279)
- Replacing the vSphere 6.x Solution User certificates with VMware Certificate Authority issued certificates (2112281)
- After replacing the VMware vCenter Server certificates in VMware vSphere 6.x, the VMware vSphere Auto Deploy solution user fails to log in (2123631)
- vCenter Server certificate validation error in VMware vCenter Site Recovery Manager and other solutions that run on a separate system (2109074)
- Adding a VMware vSphere ESXi host to VMware vCenter Server 6.x fails with the error: Signed certificate could not be retrieved due to a start time error (2123386)
Regenerate certificates issues by VMCA of the Platform Services Controller
For more information, see:
Peripheral vSphere components