vCenter services use SSL to communicate securely with each other and with ESXi. SSL communications ensure data confidentiality and integrity. Data is protected and cannot be modified in transit without detection.

vCenter Server services such as the vSphere Web Client also use certificates for initial authentication to vCenter Single Sign-On. vCenter Single Sign-On provisions each set of services (solution user) with a SAML token that the solution user can authenticate with.

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host and each vCenter Server service with a certificate that is signed by VMCA by default.

You can replace the existing certificates with new VMCA-signed certificates, make VMCA a subordinate CA, or replace all certificates with custom certificates. You have several options:

Table 1. Different Approaches to Certificate Replacement



Use the Platform Services Controller Web interface (vSphere 6.0 Update 1 and later).

Managing Certificates with the Platform Services Controller Web Interface

Use the vSphere Certificate Manager utility from the command line.

Managing Certificates with the vSphere Certificate Manager Utility

Use CLI commands for manual certificate replacement.

Managing Services and Certificates With CLI Commands