vSphere components use SSL to communicate securely with each other and with ESXi. SSL communications ensure data confidentiality and integrity. Data is protected, and cannot be modified in transit without detection.

Certificates are also used by vCenter Server services such as the vSphere Web Client for initial authentication to vCenter Single Sign-On. vCenter Single Sign-On provisions each component with a SAML token that the component uses for authentication going forward.

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host and each vCenter Server service with a certificate that is signed by VMCA by default.

You can replace the existing certificates with new VMCA-signed certificates, make VMCA a subordinate CA, or replace all certificates with custom certificates. You have several options:
Table 1. Different Approaches to Certificate Replacement
Option See
Use the Platform Services Controller web interface (vSphere 6.0 Update 1 and later). Managing Certificates with the Platform Services Controller Web Interface
Use the vSphere Certificate Manager utility from the command line. Managing Certificates with the vSphere Certificate Manager Utility
Use CLI commands for manual certificate replacement. Managing Certificates and Services with CLI Commands