After you replace the machine SSL certificates, you can replace the VMCA-signed solution user certificates with third-party or enterprise certificates.
- Certificates either sit behind a proxy, or they are custom certificates.
- No intermediate CAs are used.
Solution users use certificates only to authenticate to vCenter Single Sign-On. If the certificate is valid, vCenter Single Sign-On assigns a SAML token to the solution user, and the solution user uses the SAML token to authenticate to other vCenter components.
You replace the machine solution user certificate on each management node and on each Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on a management node with an external Platform Services Controller.
Prerequisites
- Key size: 2048 bits or more (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
-
Each solution user certificate must have a different Subject. Consider, for example, including the solution user name (such as vpxd) or other unique identifier.
- Contains the following Key Usages: Digital Signature, Key Encipherment