You can regenerate the VMCA root certificate, and replace the local machine SSL certificate, and the local solution user certificates with VMCA-signed certificates. In multi-node deployments, run vSphere Certificate Manager with this option on the Platform Services Controller and then run the utility again on all other nodes and select Replace Machine SSL certificate with VMCA Certificate and Replace Solution user certificates with VMCA certificates.
About this task
When you run this command, vSphere Certificate Manager prompts you for the password and for certificate information and stores all information, except for the password, in the certool.cfg file. After that, stopping services, replacing all certificates, and restarting processes is automatic. You are prompted for the following information:
Password for firstname.lastname@example.org.
Two-letter country code
IP address (optional)
Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate
IP address of Platform Services Controller if you are running the command on a management node
You must know the FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values. The IP address is optional.
What to do next
After replacing the root certificate in a multi-node deployment, you must restart services on all vCenter Server with external Platform Services Controller nodes.