For certain parts of manual certificate replacement, you must stop all services and then start only the services that manage the certificate infrastructure. If you stop services only when needed, you can minimize downtime.

You have to stop and start services as part of the certificate replacement process.

  • If your environment uses an embedded Platform Services Controller, you start and stop all services, as discussed in this document.

  • If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.

Follow these rules of thumb.

  • Do not stop services to generate new public/private key pairs or new certificates.

  • If you are the only administrator, you do not have to stop services when you add a new root certificate. The old root certificate remains available, and all services can still authenticate with that certificate. Stop and immediately restart all services after you add the root certificate to avoid problems with your hosts.

  • If your environment includes multiple administrators, stop services before you add a new root certificate and restart services after you add a new certificate.

  • Stop services right before you perform these tasks:

    • Delete a machine SSL certificate or any solution user certificate in VECS.

    • Replace a solution user certificate in vmdir (VMware Directory Service).