If company policy does not allow an intermediate CA, VMCA cannot generate the certificates for you. You use custom certificates from an enterprise or third-party CA.


The certificate must meet the following requirements:

  • Key size: 2048 bits or more (PEM encoded)
  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8
  • x509 version 3
  • For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
  • SubjectAltName must contain DNS Name=<machine_FQDN>
  • CRT format
  • Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
  • Start time of one day before the current time
  • CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.


  1. Send CSRs for the following certificates to your enterprise or third-party certificate provider.
    • A machine SSL certificate for each machine. For the machine SSL certificate, the SubjectAltName field must contain the fully qualified domain name (DNS NAME=machine_FQDN)
    • Optionally, four solution user certificates for each embedded system or management node. Solution user certificates should not include IP address, host name, or email address. Each certificate must have a different certificate Subject.

    Typically, the result is a PEM file for the trusted chain, plus the signed SSL certificates for each Platform Services Controller or management node.

  2. List the TRUSTED_ROOTS and machine SSL stores.
    vecs-cli store list 
    1. Ensure that the current root certificate and all machine SSL certificates are signed by VMCA.
    2. Note down the Serial number, issuer, and Subject CN fields.
    3. (Optional) With a Web browser, open a HTTPS connection to a node where the certificate will be replaced, check the certificate information, and ensure that it matches the machine SSL certificate.
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.
    The service names differ on Windows and the vCenter Server Appliance.
    service-control --stop --all
    service-control --start VMWareAfdService
    service-control --start VMWareDirectoryService
    service-control --start VMWareCertificateService
    vCenter Server Appliance
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  4. Publish the custom root certificat, which is the signing certificate from the third-party CA.
    dir-cli trustedcert publish --cert <my_custom_root>
    If you do not specify a user name and password on the command line, you are prompted.
  5. Restart all services.
    service-control --start --all

What to do next

You can remove the original VMCA root certificate from the certificate store if company policy requires it. If you do, you have to refresh these internal certificates: