If you want to use trusted certificates that are generated by a CA (Certificate Authority), you must create certificate requests and submit them to a CA.

You can create the certificate requests manually, or use the vCenter Certificate Automation Tool to generate certificate requests for each component. See VMware KB article 2061934 for detailed instruction on manual generation and replacement.

For increased security, generate each certificate and private key on the machine where it will be used.

Note: This procedure explains how to prepare your CA-signed certificates. The tool also works with self-signed certificates.


  1. You can use the tool to generate the certificate requests for each of the following services if you are using them in your environment.
    • vCenter Single Sign-On service
    • vCenter Inventory Service
    • vCenter Server
    • vCenter Orchestrator
    • vSphere Web Client
    • vCenter Log Browser
    • vCenter Update Manager
  2. Submit the certificate requests to the CA that you are using.
    The CA returns the generated certificates and keys.
  3. When you later supply the certificates and keys to the tool, the tool generates the PFX and JKS files that are required by the vCenter Single Sign-On infrastructure and places them in the correct location.

What to do next

  • Run the tool to generate update planner information.