During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
The VMware Directory Service SSL certificate is used by vmdir to perform handshakes between Platform Services Controller nodes that perform vCenter Single Sign-On replication.
These steps are not required for a mixed mode environment that includes vSphere 6.0 and vSphere 6.5 nodes. These steps are required only if:
- Your environment includes both vCenter Single Sign-On 5.5 and vCenter Single Sign-On 6.x services.
- The vCenter Single Sign-On services are set up to replicate vmdir data.
- You plan to replace the default VMCA-signed certificates with custom certificates for the node on which the vCenter Single Sign-On 6.x service runs.
Note: Upgrading the complete environment before restarting the services is best practice. Replacing the VMware Directory Service certificate is not usually recommended.