Managing Certificates with the Platform Services Controller Web Interface

You can view and manage certificates by logging in to the Platform Services Controller web interface. You can perform many certificate management tasks either with the vSphere Certificate Manager utility or by using this web interface.

The Platform Services Controller web interface allows you to perform these management tasks.

View the current certificate stores and add and remove certificate store entries.
View the VMware Certificate Authority (VMCA) instance associated with this Platform Services Controller.
View certificates that are generated by VMware Certificate Authority.
Renew existing certificates or replace certificates.

Most parts of the certificate replacement workflows are supported fully from the Platform Services Controller web interface. For generating CSRs, you can use the vSphere Certificate Manage utility.

Supported Workflows

After you install a Platform Services Controller, the VMware Certificate Authority on that node provisions all other nodes in the environment with certificates by default. You can use one of the following workflows to renew or replace certificates.

Renew Certificates: You can have VMCA generate a new root certificate and renew all certificates in your environment from the Platform Services Controller web interface.

Make VMCA an Intermediate CA: You can generate a CSR using the vSphere Certificate Manager utility, edit the certificate you receive from the CSR to add VMCA to the chain, and then add the certificate chain and private key to your environment. When you then renew all certificates, VMCA provisions all machines and solution users with certificates that are signed by the full chain.
Replace Certificates with Custom Certificates: If you do not want to use VMCA, you can generate CSRs for the certificates that you want to replace. The CA returns a root certificate and a signed certificate for each CSR. You can upload the root certificate and the custom certificates from the Platform Services Controller.

In a mixed-mode environment, you can use CLI commands to replace the vCenter Single Sign-On certificate after replacing the other certificates. See Replace the VMware Directory Service Certificate in Mixed Mode Environments.