You can have the VMCA certificate signed by another CA so that VMCA becomes an intermediate CA. Going forward, all certificates that VMCA generates include the full chain.
You can perform this setup by using the vSphere Certificate Manager utility, by using CLIs, or from the Platform Services Controller Web interface.
Prerequisites
- Generate the CSR.
- Edit the certificate that you receive, and place the current VMCA root certificate at the bottom.
Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA) explains both steps.
Procedure
What to do next
Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line:
- Windows
-
On Windows, the service-control command is located at VCENTER_INSTALL_PATH\bin.
service-control --stop --all service-control --start VMWareAfdService service-control --start VMWareDirectoryService service-control --start VMWareCertificateService
- vCenter Server Appliance
-
service-control --stop --all service-control --start vmafdd service-control --start vmdird service-control --start vmcad