If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services.
If you unpublish the VMCA root certificate, you must replace the SSL Signing Certificate that is used by vCenter Single Sign-On. See Refresh the Security Token Service Certificate. You must also replace the VMware Directory Service (vmdir) certificate.
Request a certificate for vmdir for your third-party or enterprise CA.
- Stop vmdir.
- Copy the certificate and key that you just generated to the vmdir location.
- Restart vmdir from the vSphere Web Client or using the service-control command.