You can perform different types of certificate replacement depending on company policy and requirements for the system that you are configuring. You can perform each replacement with the vSphere Certificate Manager utility or manually by using the CLIs included with your installation.

VMCA is included in each Platform Services Controller and in each embedded deployment. VMCA provisions each node, each vCenter Server solution user, and each ESXi host with a certificate that is signed by VMCA as the certificate authority. vCenter Server solution users are groups of vCenter Server services. See vSphere Security for a list of solution users.

You can replace the default certificates. For vCenter Server components, you can use a set of command-line tools included in your installation. You have several options.

See the vSphere Security publication for details on the replacement workflows and on the vSphere Certificate Manager utility.

Replace With Certificates Signed by VMCA

If your VMCA certificate expires or you want to replace it for other reasons, you can use the certificate management CLIs to perform that process. By default, the VMCA root certificate expires after ten years, and all certificates that VMCA signs expire when the root certificate expires, that is, after a maximum of ten years.

Figure 1. Certificates Signed by VMCA Are Stored in VECS
In default mode, VMCA provisions with certificates that are signed by VMCA

Make VMCA an Intermediate CA

You can replace the VMCA root certificate with a certificate that is signed by an enterprise CA or third-party CA. VMCA signs the custom root certificate each time it provisions certificates, making VMCA an intermediate CA.
Note: If you perform a fresh install that includes an external Platform Services Controller, install the Platform Services Controller first and replace the VMCA root certificate. Next, install other services or add ESXi hosts to your environment. If you perform a fresh install with an embedded Platform Services Controller, replace the VMCA root certificate before you add ESXi hosts. If you do, all certificates are signed by the whole chain, and you do not have to generate new certificates.
Figure 2. Certificates Signed by a Third-Party or Enterprise CA Use VMCA as an Intermediate CA
VMCA certificate is includes as an intermediary certificate. The root certificate is signed by a third-party CA.

Do Not Use VMCA, Provision with Custom Certificates

You can replace the existing VMCA-signed certificates with custom certificates. If you use that approach, you are responsible for all certificate provisioning and monitoring.

Figure 3. External Certificates are Stored Directly in VECS
External certificates are stored directly in VECS. VMCA is not used.

Hybrid Deployment

You can have VMCA supply some of the certificates, but use custom certificates for other parts of your infrastructure. For example, because solution user certificates are used only to authenticate to vCenter Single Sign-On, consider having VMCA provision those certificates. Replace the machine SSL certificates with custom certificates to secure all SSL traffic.

ESXi Certificate Replacement

For ESXi hosts, you can change certificate provisioning behavior from the vSphere Web Client.
VMware Certificate Authority mode (default)
When you renew certificates from the vSphere Web Client, VMCA issues the certificates for the hosts. If you changed the VMCA root certificate to include a certificate chain, the host certificates include the full chain.
Custom Certificate Authority mode
Allows you to manually update and use certificates that are not signed or issued by VMCA.
Thumbprint mode
Can be used to retain 5.5 certificates during refresh. Use this mode only temporarily in debugging situations.