To replace a vSphere 6.x Machine SSL certificate with a VMCA issued certificate

1. Launch the vSphere 6.x Certificate Manager.
   
   For vCenter Server 6.x Appliance:
   
   /usr/lib/vmware-vmca/bin/certificate-manager
   
   For Windows vCenter Server 6.x:
   
   C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
    
2. Select Option 3 (Replace Machine SSL certificate with VMCA Certificate)
    
3. Provide the [email protected] password when prompted.
    

4. If this replacement is on a vCenter Server with an external Platform Services Controller, then the following prompt will appear Performing operation on distributed setup, please provide valid Infrastructure Server IP. Enter the FQDN or IP address of the external Platform Services Controller this vCenter Server node is pointed to.

   Note: For 6.0 U3 the new Machine_SSL certificate Host Name(Case sensitive)should match with previous Machine_SSL certificate.
    
5. If this is the first time VMCA certificates have been re-generated on this system you will be asked to configure the certool.cfg. On subsequent tasks you will be offered to re-use these values.

Note:These values will be used to define certificates issued by VMCA, following are some important values:

Name - Enter FQDN of the vCenter Server or Platform Services Controller where you are trying to replace the certificate. This value will be used as CN or Common Name in the Certificate
IPAddress - This is an optional parameter, enter the vCenter Server IP Address if vCenter Server PNID (hostname used during deployment, generally it will be FQDN) is IP Address. This value will be used in SAN (Subject Alternative Name) field in the Certificate
Hostname - Enter FQDN of the vCenter Server or Platform Services Controller where you are trying to replace the certificate. This value will be used in SAN (Subject Alternative Name) field in the Certificate

Enter these values as prompted by the VMCA:

Please configure certool.cfg file with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : Acme] :
Enter proper value for 'Organization' [Default value : AcmeOrg] :
Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' [optional] :
Enter proper value for 'Email' [Default value : [email protected]] :
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :

Enter proper value for VMCA 'Name' :  (Note: This information will be requested from vCenter Server 6.0 U3 and higher builds, you may use the FQDN of vCenter Server for this field. It will be used as Common Name for the VMCA Root Certificate)

Warning

• If you are running an external Platform Services Controller you will need to restart the services on the external vCenter Server 6.x.