You can perform different types of certificate replacement depending on company policy and requirements for the system that you are configuring. You can perform certificate replacement from the Platform Services Controller, by using the vSphere Certificate Manager utility or manually by using the CLIs included with your installation.

You can replace the default certificates. For vCenter Server components, you can use a set of command-line tools included in your installation. You have several options.

Replace With Certificates Signed by VMCA

If your VMCA certificate expires or you want to replace it for other reasons, you can use the certificate management CLIs to perform that process. By default, the VMCA root certificate expires after ten years, and all certificates that VMCA signs expire when the root certificate expires, that is, after a maximum of ten years.

Figure 1. Certificates Signed by VMCA Are Stored in VECS
In default mode, VMCA provisions with certificates that are signed by VMCA

Make VMCA an Intermediate CA

You can replace the VMCA root certificate with a certificate that is signed by an enterprise CA or third-party CA. VMCA signs the custom root certificate each time it provisions certificates, making VMCA an intermediate CA.

Note:

If you perform a fresh install that includes an external Platform Services Controller, install the Platform Services Controller first and replace the VMCA root certificate. Next, install other services or add ESXi hosts to your environment. If you perform a fresh install with an embedded Platform Services Controller, replace the VMCA root certificate before you add ESXi hosts. If you do, VMCA signs the whole chain, and you do not have to generate new certificates.

Figure 2. Certificates Signed by a Third-Party or Enterprise CA Use VMCA as an Intermediate CA
VMCA certificate is includes as an intermediary certificate. The root certificate is signed by a third-party CA.

Do Not Use VMCA, Provision with Custom Certificates

You can replace the existing VMCA-signed certificates with custom certificates. If you use that approach, you are responsible for all certificate provisioning and monitoring.

Figure 3. External Certificates are Stored Directly in VECS
External certificates are stored directly in VECS. VMCA is not used.

Hybrid Deployment

You can have VMCA supply some of the certificates, but use custom certificates for other parts of your infrastructure. For example, because solution user certificates are used only to authenticate to vCenter Single Sign-On, consider having VMCA provision those certificates. Replace the machine SSL certificates with custom certificates to secure all SSL traffic.

Company policy often does not allow intermediate CAs. For those cases, hybrid deployment is a good solution. It minimizes the number of certificates to replace, and secures all traffic. The hybrid deployment leaves only internal traffic, that is, solution user traffic, to use the default VMCA-signed certificates

ESXi Certificate Replacement

For ESXi hosts, you can change certificate provisioning behavior from the vSphere Web Client. See the vSphere Securitydocumentation for details.

Table 1. ESXi Certificate Replacement Options

Option

Description

VMware Certificate Authority mode (default)

When you renew certificates from the vSphere Web Client, VMCA issues the certificates for the hosts. If you changed the VMCA root certificate to include a certificate chain, the host certificates include the full chain.

Custom Certificate Authority mode

Allows you to manually update and use certificates that are not signed or issued by VMCA.

Thumbprint mode

Can be used to retain 5.5 certificates during refresh. Use this mode only temporarily in debugging situations.