You can use the vSphere Certificate Manager utility to replace all certificates with custom certificates. Before you start the process, you must send CSRs to your CA. You can use Certificate Manager to generate the CSRs.

One option is to replace only the machine SSL certificate, and to use the solution user certificates that are provisioned by VMCA. Solution user certificates are used only for communication between vSphere components.

When you use custom certificates, you replace the VMCA-signed certificates with custom certificates. You can use the vSphere Client, the vSphere Certificate Manager utility, or CLIs for manual certificate replacement. Certificates are stored in VECS.

To replace all certificates with custom certificates, you have to run Certificate Manager several times. The workflow gives the complete set of steps for replacing both machine SSL certificates and solution user certificates. It explains what to do in environments with embedded Platform Services Controller or external Platform Services Controller.

  1. You generate certificate signing requests for the machine SSL certificate and the solution user certificates separately on each machine.
    1. To generate CSRs for the machine SSL certificate, you select Option 1.
    2. If company policy does not allow a hybrid deployment, you select Option 5.
  2. After you received the signed certificates and the root certificate from your CA, you replace the machine SSL certificate on each machine by using Option 1.
  3. If you also want to replace the solution user certificates, you select Option 5.
  4. Finally, in a multi-node deployment, you have to repeat the process on each node.