You can send the VMCA root certificate as a CSR to an enterprise or third-party CA for signing, and combine the signed VMCA certificate with the VMCA root certificate. After you replace the VMCA root certificate with the certificate chain, all certificates that VMCA generates include the full chain.
Before you begin
Generate the certificate chain.
You can use vSphere Certificate Manager to create the CSR or create the CSR manually.
After you receive the signed certificate from your third-party or enterprise CA, combine it with the initial VMCA root certificate to create the full chain.
See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA) for certificate requirements and the process of combining the certificates.
Gather the information that you will need.
Password for firstname.lastname@example.org.
Valid custom certificate for Root (.crt file).
Valid custom key for Root (.key file).
About this task
You run vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller to replace the VMCA root certificate with a custom signing certificate.
- Start vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller and select option 2.
- Select option 2 again to start certificate replacement and respond to the prompts.
- Specify the full path to the root certificate when prompted.
- If you are replacing certificates for the first time, you are prompted for information to be used for the machine SSL certificate.
This information includes the required FQDN of the machine and is stored in the certool.cfg file.
- If you replace the root certificate on the Platform Services Controller in a multi-node deployment, follow these steps for each vCenter Server node.
- Restart services on the vCenter Server node
- Regenerate all certificates on the vCenter Server instance by using options 3 (Replace Machine SSL certificate with VMCA Certificate) and 6 (Replace Solution user certificates with VMCA certificates).
When you replace the certificates, VMCA signs with the full chain.
What to do next
If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode Environments.