You can regenerate the VMCA root certificate, and replace the local machine SSL certificate, and the local solution user certificates with VMCA-signed certificates. In multi-node deployments, run vSphere Certificate Manager with this option on the Platform Services Controller and then run the utility again on all other nodes and select Replace Machine SSL certificate with VMCA Certificate and Replace Solution user certificates with VMCA certificates.

When you run this command, vSphere Certificate Manager prompts you for the password and for certificate information and stores all information, except for the password, in the certool.cfg file. After that, stopping services, replacing all certificates, and restarting processes is automatic. You are prompted for the following information:

  • Password for administrator@vsphere.local.
  • Two-letter country code
  • Company name
  • Organization name
  • Organization unit
  • State
  • Locality
  • IP address (optional)
  • Email
  • Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate
  • IP address of Platform Services Controller if you are running the command on a management node


You must know the FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values. The IP address is optional.

What to do next

After replacing the root certificate in a multi-node deployment, you must restart services on all vCenter Server with external Platform Services Controller nodes.