You can regenerate the VMCA root certificate, and replace the local machine SSL certificate, and the local solution user certificates with VMCA-signed certificates. In multi-node deployments, run vSphere Certificate Manager with this option on the Platform Services Controller and then run the utility again on all other nodes and select Replace Machine SSL certificate with VMCA Certificate and Replace Solution user certificates with VMCA certificates.

About this task

When you replace the existing machine SSL certificate with a new VMCA-signed certificate, vSphere Certificate Manager prompts you for information and enters all values, except for the password and the IP address of the Platform Services Controller, into the certool.cfg file.

  • Password for administrator@vsphere.local.

  • Two-letter country code

  • Company name

  • Organization name

  • Organization unit

  • State

  • Locality

  • IP address (optional)

  • Email

  • Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.

  • IP address of Platform Services Controller if you are running the command on a management node


You must know the following information when you run vSphere Certificate Manager with this option.

  • Password for administrator@vsphere.local.

  • The FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values but can be changed.


  1. Start vSphere Certificate Manager on an embedded deployment or on a Platform Services Controller.
  2. Select option 4.
  3. Respond to the prompts.

    Certificate Manager generates a new VMCA root certificate based on your input and replaces all certificates on the system where you are running Certificate Manager. If you use an embedded deployment, the replacement process is complete after Certificate Manager has restarted the services.

  4. If your environment includes an external Platform Services Controller, you have to replace certificates on each vCenter Server system.
    1. Log in to the vCenter Server system.
    2. Stop all services and start the services that handle certificate creation, propagation, and storage.

      The service names differ on Windows and the vCenter Server Appliance.


      service-control --stop --all
      service-control --start VMWareAfdService
      service-control --start VMWareDirectoryService
      service-control --start VMWareCertificateService

      vCenter Server Appliance

      service-control --stop --all
      service-control --start vmafdd
      service-control --start vmdird
      service-control --start vmcad
    3. Restart all services.
      service-control --start --all
    4. To replace the machine SSL certificate, run vSphere Certificate Manager with option 3, Replace Machine SSL certificate with VMCA Certificate.
    5. To replace the solution user certificates, run Certificate Manager with option 6, Replace Solution user certificates with VMCA certificates.