By default, vSphere uses TLS/SSL certificates that are signed by VMCA (VMware Certificate Authority). These certificates are not trusted by end-user devices or browsers.

As a security best practice, replace at least all user-facing certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA). Certificates for machine-to-machine communication can remain VMCA-signed.

Table 1. Design Decisions on the TLS Certificates of vCenter Server

Decision ID

Design Decision

Design Justification

Design Implication


Replace the vCenter Server machine certificate and Platform Services Controller machine certificate with a certificate signed by a third-party Public Key Infrastructure.

Infrastructure administrators connect to both vCenter Server and the Platform Services Controller using a Web browser to perform configuration, management, and troubleshooting activities. Using the default certificate results in certificate warning messages.

Replacing and managing certificates is an operational overhead.


Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.