Search the VMware Knowledge Base (KB)
View by Article ID

How to regenerate vSphere 6.x certificates using self-signed VMCA (2112283)

  • 49 Ratings
Language Editions


This article provides steps to regenerate the vSphere 6.0 certificates using a new self-signed certificate in the VMware Certificate Authority (VMCA).

Note: This process can be useful to quickly recover from a scenario where certificates have expired.



  • This task replaces the VMCA Root Certificate with a new self-signed certificate and then the MachineSSL and Solution User certificates with new certificates issued by the VMCA.
  • If you are running an external Platform Services Controller, you need to run the vSphere 6.0 Certificate Manager on the external vCenter Server 6.0 and perform these tasks:

    • Replace Machine SSL certificate with VMCA Certificate
    • Replace Solution user certificates with VMCA certificates
To regenerate the vSphere 6.0 certificates using a new self-signed VMware Certificate Authority certificate:
  1. Launch the vSphere 6.0 Certificate Manager.

    For vCenter Server 6.0 Appliance:


    For Windows vCenter Server 6.0:

    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

  2. Select Option 4 (Regenerate a new VMCA Root Certificate and replace all certificates)

    Note: You can also select Option 8 (Reset all Certificates). Both the options perform the same functionality.

  3. Type the administrator@vsphere.local password when prompted.

  4. If this is the first time VMCA certificates are re-generated on this system, you are asked to configure the certool.cfg. On subsequent tasks, you are offered to re-use these values.

    Note: These values are used to define certificates issued by VMCA. 

    Enter these values as prompted by the VMCA:

    Please configure certool.cfg file with proper values before proceeding to next step.
    Press Enter key to skip optional parameters or use Default value.
    Enter proper value for 'Country' [Default value : US] :
    Enter proper value for 'Name' [Default value : Acme] :
    Enter proper value for 'Organization' [Default value : AcmeOrg] :
    Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
    Enter proper value for 'State' [Default value : California] :
    Enter proper value for 'Locality' [Default value : Palo Alto] :
    Enter proper value for 'IPAddress' [optional] :
    Enter proper value for 'Email' [Default value :] :
    Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example :] :

  5. Type Yes (Y) to the confirmation request to proceed.


Default certificate, replace, expired, self-signed

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 49 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 49 Ratings