Certificate replacement in deployments that include multiple management nodes and one or more Platform Services Controller nodes is similar to replacement in embedded deployments. In both cases, you can use the vSphere Certificate Management utility or replace certificates manually. Some best practices guide the replacement process.

Certificate Replacement in High Availability Environments That Include a Load Balancer

In environments with less than eight vCenter Server systems, VMware typically recommends a single Platform Services Controller instance and associated vCenter Single Sign-On service. In larger environments, consider using multiple Platform Services Controller instances, protected by a network load balancer. The white paper vCenter Server 6.0 Deployment Guide on the VMware website discusses this setup.

Replacement of Machine SSL Certificates in Environments with Multiple Management Nodes

If your environment includes multiple management nodes and a single Platform Services Controller, you can replace certificates with the vSphere Certificate Manager utility, or manually with vSphere CLI commands.

vSphere Certificate Manager
You run vSphere Certificate Manager on each machine. On management nodes, you are prompted for the IP address of the Platform Services Controller. Depending on the task you perform, you are also prompted for certificate information.
Manual Certificate Replacement
For manual certificate replacement, you run the certificate replacement commands on each machine. On management nodes, you must specify the Platform Services Controller with the --server parameter. See the following topics for details:

In large deployments, restart first the Platform Services Controller and then all management nodes after certificate replacement.

Replacement of Solution User Certificates in Environments with Multiple Management Nodes

If your environment includes multiple management nodes and a single Platform Services Controller, follow these steps for certificate replacement.

Note: When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.
vSphere Certificate Manager
You run vSphere Certificate Manager on each machine. On management nodes, you are prompted for the IP address of the Platform Services Controller. Depending on the task you perform, you are also prompted for certificate information.
Manual Certificate Replacement
  1. Generate or request a certificate. You need the following certificates:
    • A certificate for the machine solution user on the Platform Services Controller.
    • A certificate for the machine solution user on each management node.
    • A certificate for each of the following solution users on each management node:
      • vpxd solution user
      • vpxd-extension solution user
      • vsphere-webclient solution user
  2. Replace the certificates on each node. The precise process depends on the type of certificate replacement that you are performing. See Managing Certificates with the vSphere Certificate Manager Utility
See the following topics for details:

In large deployments, restart first the Platform Services Controller and then all management nodes after certificate replacement.

Certificate Replacement in Environments That Include External Solutions

Some solutions, such as VMware vCenter Site Recovery Manager or VMware vSphere Replication, are always installed on a different machine than the vCenter Server system or Platform Services Controller. If you replace the default machine SSL certificate on the vCenter Server system or the Platform Services Controller, a connection error results if the solution attempts to connect to the vCenter Server system.

You can run the ls_update_certs script to resolve the issue. See VMware Knowledge Base article 2109074 for details.