In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions your environment with certificates. This includes machine SSL certificates for secure connections, solution user certificates for authentication to vCenter Single Sign-On, and certificates for ESXi hosts that are added to vCenter Server.

The following certificates are in use.
Table 1. Certificates in vSphere 6.0
Certificate Provisioned by Stored
ESXi certificates VMCA (default) Locally on ESXi host
Machine SSL certificates VMCA (default) VECS
Solution user certificates VMCA (default) VECS
vCenter Single Sign-On SSL signing certificate Provisioned during installation. Manage this certificate from the vSphere Web Client.
Warning: Do not change this certificate in the filesystem or unpredictable behavior results.
VMware Directory Service (vmdir) SSL certificate Provisioned during installation. In certain corner cases, you might have to replace this certificate. See Replace the VMware Directory Service Certificate.


ESXi certificates are stored locally on each host in the /etc/vmware/ssl directory. ESXi certificates are provisioned by VMCA by default, but you can use custom certificates instead. ESXi certificates are provisioned when the host is first added to vCenter Server and when the host reconnects.

Machine SSL Certificates

The machine SSL certificate for each node is used to create an SSL socket on the server side to which SSL clients connect. The certificate is used for server verification and for secure communication such as HTTPS or LDAPS.

All services communicate through the reverse proxy. For compatibility, services that were available in earlier versions of vSphere also use specific ports. For example, the vpxd service uses the MACHINE_SSL_CERT to expose its endpoint.

Every node (embedded deployment, management node, or Platform Services Controller), has its own machine SSL certificate. All services that are running on that node use this machine SSL certificate to expose their SSL endpoints.

The machine SSL certificate is used as follows:
  • By the reverse proxy service on each Platform Services Controller node. SSL connections to individual vCenter services always go to the reverse proxy. Traffic does not go to the services themselves.
  • By the vCenter service (vpxd) on management nodes and embedded nodes.
  • By the VMware Directory Service (vmdir) on infrastructure nodes and embedded nodes.

VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information that is sent over SSL between components.

Solution User Certificates

A solution user encapsulates one or more vCenter Server services and uses the certificates to authenticate to vCenter Single Sign-On through SAML token exchange. Each solution user must be authenticated to vCenter Single Sign-On.

Solution user certificates are used for authentication tovCenter Single Sign-On. A solution user presents the certificate to vCenter Single Sign-On when it first has to authenticate, after a reboot, and after a timeout has elapsed. The timeout (Holder-of-Key Timeout) can be set from the vSphere Web Client and defaults to 2592000 seconds (30 days).

For example, the vpxd solution user presents its certificate to vCenter Single Sign-On when it connects to vCenter Single Sign-On. The vpxd solution user receives a SAML token from vCenter Single Sign-On and can then use that token to authenticate to other solution users and services.

The following solution user certificate stores are included in VECS on each management node and each embedded deployment:

  • machine: Used by component manager, license server, and the logging service.
    Note: The machine solution user certificate has nothing to do with the machine SSL certificate. The machine solution user certificate is used for the SAML token exchange; the machine SSL certificate is used for secure SSL connections for a machine.
  • vpxd: vCenter service daemon (vpxd) store on management nodes and embedded deployments. vpxd uses the solution user certificate that is stored in this store to authenticate to vCenter Single Sign-On.
  • vpxd-extensions: vCenter extensions store. Includes the Auto Deploy service, inventory service, and other services that are not part of other solution users.
  • vsphere-webclient: vSphere Web Client store. Also includes some additional services such as the performance chart service.

The machine store is also included on each Platform Services Controller node.

vCenter Single Sign-On Certificates

vCenter Single Sign-On certificates are not stored in VECS and are not managed with certificate management tools. As a rule, changes are not necessary, but in special situations, you can replace these certificates.
vCenter Single Sign-On Signing Certificate
The vCenter Single Sign-On service includes an identity provider service which issues SAML tokens that are used for authentication throughout vSphere. A SAML token represents the user's identity, and also contains group membership information. When vCenter Single Sign-On issues SAML tokens, it signs each token with its signing certificate so that clients of vCenter Single Sign-On can verify that the SAML token comes from a trusted source.
vCenter Single Sign-On issues holder-of-key SAML tokens to solution users and bearer tokens other users, which log in with a user name and password.
You can replace this certificate from the vSphere Web Client. See Refresh the Security Token Service Certificate.
VMware Directory Service SSL Certificate
If you are using custom certificates, you might have to replace the VMware Directory Service SSL certificate explicitly. See Replace the VMware Directory Service Certificate.