vSphere components use SSL to communicate securely with each other and with ESXi. SSL communications ensure data confidentiality and integrity. Data is protected, and cannot be modified in transit without detection.

Certificates are also used by vCenter Server services such as the vSphere Web Client for initial authentication to vCenter Single Sign-On. vCenter Single Sign-On provisions each component with a SAML token that the component uses for authentication going forward.

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host and each vCenter Server service with a certificate that is signed by VMCA by default.

You can replace the existing certificates with new VMCA-signed certificates, make VMCA a subordinate CA, or replace all certificates with custom certificates. You have several options:

Table 1. Different Approaches to Certificate Replacement



Use the Platform Services Controller web interface (vSphere 6.0 Update 1 and later).

Managing Certificates with the Platform Services Controller Web Interface

Use the vSphere Certificate Manager utility from the command line.

Managing Certificates with the vSphere Certificate Manager Utility

Use CLI commands for manual certificate replacement.

Managing Certificates and Services with CLI Commands