For the core vCenter components, you can generate certificate requests and replace the default certificates with self-signed or CA-signed certificates by using the Certificate Automation Tool. You can also generate the requests, create the certificates, and replace the certificates from the command line without the tool.

Where to Find Information

How you want to replace certificates determines where you can find information. You can perform certificate replacement in several ways.

  • Use the Certificate Replacement tool in your Windows environment, as described in this document.
  • Replace certificates on Windows explicitly, as explained in VMware Knowledge Base article 2058519.
  • Replace certificates on the vCenter Server Appliance, as explained in VMware Knowledge Base article 2057223.

If want to use certificates that are signed by a CA, you must generate a certificate request (CSR) for each component. You can use the tool to generate the CSRs. See Preparing Your Environment for a list of certificate requirements.

Certificate Replacement Tool Overview

The Certificate Automation Tool is a command-line tool that helps you replace the certificates for the core vCenter components listed below. In most cases, you replace the default certificates with custom certificates. You use the tool after you install all vCenter components. If you add a new component to your vSphere environment, you can run the tool again to perform certificate replacement for the new component. When you run the tool on a vCenter component such as the vCenter Server system or the vCenter Single Sign-On server, it performs the following tasks.
  • Prompts you for required input.
  • Validates the input (x.509 certificate and URL formats).
  • Updates the SSL certificate of a component and the corresponding LookupService entries of the services that are exposed by the components if necessary.
  • Restarts the corresponding service if necessary.
  • Updates the trust of the component to all other components that it connects to. Restarts the component if necessary.
  • Provides the next steps to the user where necessary.
Note: Certificate replacement with the tool has been tested with vCenter Single Sign-On, vCenter Inventory Service, vCenter Server, vSphere Web Client, vSphere Update Manager, vCenter Log Browser and vCenter Orchestrator. If you have to perform a certificate replacement with another vSphere component, the instructions in VMware documentation or the VMware Knowledge base for that product. You might have to update certificates on one of the supported components as part of the process.

The tool supports the following vCenter components:

  • vCenter Single Sign-On
  • vCenter Inventory Service
  • vCenter Server
  • vSphere Web Client
  • vSphere Update Manager
  • vCenter Log Browser
  • vCenter Orchestrator

Each component must have an SSL certificate and a solution user certificate. Most components use the same certificate for both purposes. On Windows, the solution user certificates must be unique, so a unique SSL certificate for each component is required.


If you replaced the default certificates in vSphere version 5.0 or version 5.1, and you upgrade to vSphere version 5.5, the certificates are migrated. If you are upgrading and you want to replace the default certificates, you can run the Certificate Automation Tool after the upgrade.