In a multi-node deployment that uses VMCA as an intermediate CA, you have to replace the machine SSL certificate explicitly. First you replace the VMCA root certificate on the Platform Services Controller node, and then you can replace the certificates on the vCenter Server nodes to have the certificates signed by the full chain. You can also use this option to replace machine SSL certificates that are corrupt or about to expire.

When you replace the existing machine SSL certificate with a new VMCA-signed certificate, vSphere Certificate Manager prompts you for information and enters all values, except for the password and the IP address of the Platform Services Controller, into the certool.cfg file.

  • Password for administrator@vsphere.local.
  • Two-letter country code
  • Company name
  • Organization name
  • Organization unit
  • State
  • Locality
  • IP address (optional)
  • Email
  • Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
  • IP address of Platform Services Controller if you are running the command on a management node


  • Restart all vCenter Server nodes explicitly if you replaced the VMCA root certificate in a multi-node deployment.
  • You must know the following information to run Certificate Manager with this option.
    • Password for administrator@vsphere.local.
    • The FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values but can be changed.
    • Host name or IP address of the Platform Services Controller if you are running on a vCenter Server system with an external Platform Services Controller.


  1. Start vSphere Certificate Manager and select option 3.
  2. Respond to the prompts.
    Certificate Manager stores the information in the certool.cfg file.


vSphere Certificate Manager replaces the machine SSL certificate.