You can perform different types of certificate replacement depending on company policy and requirements for the system that you are configuring. You can perform each replacement with the vSphere Certificate Manager utility or manually by using the CLIs included with your installation.
VMCA is included in each Platform Services Controller and in each embedded deployment. VMCA provisions each node, each vCenter Server solution user, and each ESXi host with a certificate that is signed by VMCA as the certificate authority. vCenter Server solution users are groups of vCenter Server services. See vSphere Security for a list of solution users.
You can replace the default certificates. For vCenter Server components, you can use a set of command-line tools included in your installation. You have several options.
See the vSphere Security publication for details on the replacement workflows and on the vSphere Certificate Manager utility.
Replace With Certificates Signed by VMCA
If your VMCA certificate expires or you want to replace it for other reasons, you can use the certificate management CLIs to perform that process. By default, the VMCA root certificate expires after ten years, and all certificates that VMCA signs expire when the root certificate expires, that is, after a maximum of ten years.
Make VMCA an Intermediate CA
You can replace the VMCA root certificate with a certificate that is signed by an enterprise CA or third-party CA. VMCA signs the custom root certificate each time it provisions certificates, making VMCA an intermediate CA.
If you perform a fresh install that includes an external Platform Services Controller, install the Platform Services Controller first and replace the VMCA root certificate. Next, install other services or add ESXi hosts to your environment. If you perform a fresh install with an embedded Platform Services Controller, replace the VMCA root certificate before you add ESXi hosts. If you do, all certificates are signed by the whole chain, and you do not have to generate new certificates.
Do Not Use VMCA, Provision with Custom Certificates
You can replace the existing VMCA-signed certificates with custom certificates. If you use that approach, you are responsible for all certificate provisioning and monitoring.
You can have VMCA supply some of the certificates, but use custom certificates for other parts of your infrastructure. For example, because solution user certificates are used only to authenticate to vCenter Single Sign-On, consider having VMCA provision those certificates. Replace the machine SSL certificates with custom certificates to secure all SSL traffic.
ESXi Certificate Replacement
For ESXi hosts, you can change certificate provisioning behavior from the vSphere Web Client.
VMware Certificate Authority mode (default)
When you renew certificates from the vSphere Web Client, VMCA issues the certificates for the hosts. If you changed the VMCA root certificate to include a certificate chain, the host certificates include the full chain.