If company policy requires it, you can replace all certificates used in vSphere with third-party CA-signed certificates. If you do that, VMCA is not in your certificate chain but all vCenter certificates have to be stored in VECS.

About this task

You can replace all certificates or use a hybrid solution. For example, consider replacing all certificates that are used for network traffic but leaving VMCA-signed solution user certificates. Solution user certificates are used only for authentication to vCenter Single Sign-On, in place.


If you do not want to use VMCA, you are responsible for replacing all certificates yourself, for provisioning new components with certificates, and for keeping track of certificate expiration.