For the core vCenter components, you can generate certificate requests and replace the default certificates with self-signed or CA-signed certificates by using the Certificate Automation Tool. You can also generate the requests, create the certificates, and replace the certificates from the command line without the tool.
Where to Find Information
How you want to replace certificates determines where you can find information. You can perform certificate replacement in several ways.
- Use the Certificate Replacement tool in your Windows environment, as described in this document.
- Replace certificates on Windows explicitly, as explained in VMware Knowledge Base article 2058519.
- Replace certificates on the vCenter Server Appliance, as explained in VMware Knowledge Base article 2057223.
If want to use certificates that are signed by a CA, you must generate a certificate request (CSR) for each component. You can use the tool to generate the CSRs. See Preparing Your Environment for a list of certificate requirements.
Certificate Replacement Tool Overview
- Prompts you for required input.
- Validates the input (x.509 certificate and URL formats).
- Updates the SSL certificate of a component and the corresponding LookupService entries of the services that are exposed by the components if necessary.
- Restarts the corresponding service if necessary.
- Updates the trust of the component to all other components that it connects to. Restarts the component if necessary.
- Provides the next steps to the user where necessary.
The tool supports the following vCenter components:
- vCenter Single Sign-On
- vCenter Inventory Service
- vCenter Server
- vSphere Web Client
- vSphere Update Manager
- vCenter Log Browser
- vCenter Orchestrator
Each component must have an SSL certificate and a solution user certificate. Most components use the same certificate for both purposes. On Windows, the solution user certificates must be unique, so a unique SSL certificate for each component is required.
If you replaced the default certificates in vSphere version 5.0 or version 5.1, and you upgrade to vSphere version 5.5, the certificates are migrated. If you are upgrading and you want to replace the default certificates, you can run the Certificate Automation Tool after the upgrade.