You can replace all VMCA-signed certificates with new VMCA-signed certificates; this process is called renewing certificates. You can renew selected certificates or all certificates in your environment from the Platform Services Controller web interface.

Before you begin

For certificate management, you have to supply the password of the administrator of the local domain (administrator@vsphere.local by default). If you are renewing certificates for a vCenter Server system, you also have to supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter Server system.

Procedure

  1. From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.

    Option

    Description

    vSphere Web Client

    https://vc_hostname_or_IP/vsphere-client

    Platform Services Controller

    https://psc_hostname_or_IP/psc

    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.

    If you specified a different domain during installation, log in as administrator@mydomain.

  3. Under Certificates, select Certificate Management and specify the IP address or host name for the Platform Services Controller and the user name and password of the administrator of the local domain (administrator@vsphere.local by default), and click Submit.
  4. Renew the machine SSL certificate for the local system.
    1. Click the Machine Certificates tab.
    2. Select the certificate, click Renew, and answer Yes to the prompt.
  5. (Optional) Renew the solution user certificates for the local system.
    1. Click the Solution User Certificates tab.
    2. Select a certificate and click Renew to renew individual selected certificates, or click Renew All to renew all solution user certificates.
    3. Answer Yes at the prompt.
  6. If your environment includes an external Platform Services Controller, you can then renew the certificates for each of the vCenter Server system.
    1. Click the Logout button in the Certificate Management panel.
    2. When prompted, specify the IP address or FQDN of the vCenter Server system and user name and password of a vCenter Server administrator who can authenticate to vCenter Single Sign-On.
    3. Renew the machine SSL certificate on the vCenter Server and, optionally, each solution user certificate.
    4. If you have multiple vCenter Server systems in your environment, repeat the process for each system.

What to do next

Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line:

Windows

On Windows, the service-control command is located at VCENTER_INSTALL_PATH\bin.

service-control --stop --all 
service-control --start VMWareAfdService 
service-control --start VMWareDirectoryService 
service-control --start VMWareCertificateService

vCenter Server Appliance

service-control --stop --all
service-control --start vmafdd 
service-control --start vmdird 
service-control --start vmcad