If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services.

If you unpublish the VMCA root certificate, you must replace the SSL Signing Certificate that is used by vCenter Single Sign-On. See Refresh the Security Token Service Certificate. You must also replace the VMware Directory Service (vmdir) certificate.

Prerequisites

Request a certificate for vmdir for your third-party or enterprise CA.

Procedure

  1. Stop vmdir.
    Linux
    service-control --stop vmdird
    
    Windows
    service-control --stop VMWareDirectoryService
  2. Copy the certificate and key that you just generated to the vmdir location.
    Linux
    cp vmdir.crt /usr/lib/vmware-vmdir/share/config/vmdircert.pem
    cp vmdir.priv /usr/lib/vmware-vmdir/share/config/vmdirkey.pem
    
    Windows
    copy vmdir.crt C:\programdata\vmware\vCenterServer\cfg\vmdird\vmdircert.pem
    copy vmdir.priv C:\programdata\vmware\vCenterServer\cfg\vmdird\vmdirkey.pem
    
  3. Restart vmdir from the vSphere Web Client or using the service-control command.
    Linux
    service-control --start vmdird
    
    Windows
    service-control --start VMWareDirectoryService