You can replace the default vCenter SSL certificates with CA-signed or self-signed certificates if company policy requires it. The vCenter Certificate Automation Tool is a command-line tool that helps you replace certificates in the correct order for the core vCenter services in your environment. You can use the tool to generate certificate requests, generate an update plan, and perform the update.

Each vSphere service has an identity, which is used to create an x509 certificate. You can replace the certificates for the core vCenter components with the vCenter Certificate Automation Tool. You can replace certificates for other vCenter components manually.

  • Use the vCenter Certificate Automation Tool to replace SSL certificates for vCenter components that are installed on supported Windows operating systems. The tool helps you generate certificate requests and to plan the process of replacing certificates. The tool supports vCenter Single Sign-On, vCenter Inventory Service, vCenter Server, vSphere Web Client, vSphere Update Manager, vCenter Log Browser and vCenter Orchestrator.

  • If you are using other vSphere components, see VMware documentation or the VMware Knowledge Base for certificate replacement information.

  • If you are using a third-party component, you must replace the certificates manually. See VMware Knowledge Base article 2058519.

  • If you are using the vCenter Server Appliance, replace SSL certificates manually. Some services share certificates. See VMware Knowledge Base article 2057223.

Replacing the certificates consists of several tasks.