Search the VMware Knowledge Base (KB)
View by Article ID

Replacing the vSphere 6.0 Machine SSL certificate with a VMware Certificate Authority issued certificate (2112279)

  • 3 Ratings


This article explains how to regenerate a new vSphere 6.0 Machine SSL certificate from the VMware Certificate Authority (VMCA).

The certificate generated will be be issued from the current VMCA Root Certificate. You may want to configure VMCA as a Subordinate Certificate Authority of an existing Certificate Authority. For more information on this procedure, see Configuring vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority (2112016).


To replace a vSphere 6.0 Machine SSLcertificate with a VMCA issued certificate:
  1. Launch the vSphere 6.0 Certificate Manager.

    For vCenter Server 6.0 Appliance:


    For Windows vCenter Server 6.0:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

  2. Select Option 3 (Replace Machine SSL certificate with VMCA Certificate)

  3. Provide the administrator@vsphere.local password when prompted.

  4. If this is the first time VMCA certificates have been re-generated on this system you will be asked to configure the certool.cfg. On subsequent tasks you will be offered to re-use these values.
Note: These values will be used to define certificates issued by VMCA. 

Enter these values as prompted by the VMCA:

Please configure certool.cfg file with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : Acme] :
Enter proper value for 'Organization' [Default value : AcmeOrg] :
Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' [optional] :
Enter proper value for 'Email' [Default value :] :
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example :] :

  • This task replaces the Machine SSL Certificate with a VMCA issued certificate.
  • If you are running an external Platform Services Controller you will need to restart the services on the external vCenter Server 6.0 and then optionally proceed with replacing the Machine SSL of the vCenter Server 6.0.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 3 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 3 Ratings