You can have the VMCA certificate signed by another CA so that VMCA becomes an intermediate CA. Going forward, all certificates that VMCA generates include the full chain.

You can perform this setup by using the vSphere Certificate Manager utility, by using CLIs, or from the Platform Services Controller Web interface.


  1. Generate the CSR.
  2. Edit the certificate that you receive, and place the current VMCA root certificate at the bottom.

Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA) explains both steps.


  1. From a Web browser, connect to the Platform Services Controller at https://psc_hostname_or_IP/psc.
    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. To replace the existing certificate with the chained certificate, follow these steps:
    1. Under Certificates, click Certificate Authority and select the Root Certificate tab.
    2. Click Replace Certificate.
    3. In the Replace Root Certificate dialog box, click Browse and select the private key, click Browse again and select the certificate, and click OK.
    Going forward, VMCA signs all certificates that it issues with the new chained root certificate.
  4. Renew the machine SSL certificate for the local system.
    1. Under Certificates, click Certificate Management and click the Machine Certificates tab.
    2. Select the certificate, click Renew, and answer Yes to the prompt.
    VMCA replaces the machine SSL certificate with the certificate that is signed by the new CA.
  5. (Optional) Renew the solution user certificates for the local system.
    1. Click the Solution User Certificates tab.
    2. Select a certificate and click Renew to renew individual selected certificates, or click Renew All to replace all certificates and answer Yes to the prompt.
    VMCA replaces the solution user certificate or all solution user certificates with certificates that are signed by the new CA.
  6. If your environment includes an external Platform Services Controller, you can then renew the certificates for each of the vCenter Server systems.
    1. Click the Logout button in the Certificate Management panel.
    2. When prompted, specify the IP address or FQDN of the vCenter Server system and user name and password of a vCenter Server administrator.
      The administrator must be able to authenticate to vCenter Single Sign-On.
    3. Renew the machine SSL certificate on the vCenter Server and, optionally, each solution user certificate.
    4. If you have multiple vCenter Server systems in your environment, repeat the process for each system.

What to do next

Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line:


On Windows, the service-control command is located at VCENTER_INSTALL_PATH\bin.

service-control --stop --all 
service-control --start VMWareAfdService 
service-control --start VMWareDirectoryService 
service-control --start VMWareCertificateService
vCenter Server Appliance
service-control --stop --all
service-control --start vmafdd 
service-control --start vmdird 
service-control --start vmcad