The first step in replacing the VMCA certificates with custom certificates is generating a CSR, sending the CSR to be signed. You then add the signed certificate to VMCA as a root certificate.

You can use the Certificate Manager utility or other tool to generate the CSR. The CSR must meet the following requirements:
  • Key size: 2048 bits or more
  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
  • x509 version 3
  • If you are using custom certificates, the CA extension must be set to true for root certificates, and cert sign must be in the list of requirements.
  • CRL signing must be enabled.
  • Enhanced Key Usage can be either empty or contain Server Authentication.
  • No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
  • Certificates with wildcards or with more than one DNS name are not supported.
  • You cannot create subsidiary CAs of VMCA.

    See the VMware knowledge base article at, Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0, for an example using Microsoft Certificate Authority.

VMCA validates the following certificate attributes when you replace the root certificate:
  • Key size 2048 bits or more
  • Key Usage: Cert Sign
  • Basic Constraint: Subject Type CA


  1. Generate a CSR and send it to your CA.
    Follow your CA's instructions.
  2. Prepare a certificate file that includes the signed VMCA certificate and the full CA chain of your third-party CA or enterprise CA. Save the file, for example as rootca1.crt.
    You can accomplish this step by copying all CA certificates in PEM format into a single file. You start with the VMCA root certificate and end up with the root CA PEM certificate. For example:
    <Certificate of VMCA>
    -----END CERTIFICATE-----
    <Certificate of intermediary CA>
    -----END CERTIFICATE-----
    <Certificate of Root CA>
    -----END CERTIFICATE-----
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.
    The service names differ on Windows and the vCenter Server Appliance.
    Note: If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
    service-control --stop --all
    service-control --start VMWareAfdService
    service-control --start VMWareDirectoryService
    service-control --start VMWareCertificateService
    vCenter Server Appliance
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  4. Replace the existing VMCA root CA.
    certool --rootca --cert=rootca1.crt --privkey=root1.key
    When you run this command, it:
    • Adds the new custom root certificate to the certificate location in the file system.
    • Appends the custom root certificate to the TRUSTED_ROOTS store in VECS (after a delay).
    • Adds the custom root certificate to vmdir (after a delay).
  5. (Optional) To propagate the change to all instances of vmdir (VMware Directory Service), publish the new root certificate to vmdir, supplying the full file path for each file.
    For example:
    dir-cli trustedcert publish --cert rootca1.crt
    Replication between vmdir nodes happens every 30 seconds. You do not have to add the root certificate to VECS explicitly because VECS polls vmdir for new root certificate files every 5 minutes.
  6. (Optional) If necessary, you can force a refresh of VECS.
    vecs-cli force-refresh
  7. Restart all services.
    service-control --start --all

Example: Replacing the Root Certificate

Replace the VMCA root certificate with the custom CA root certificate using the certool command with the --rootca option.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\certool" --rootca --cert=C:\custom-certs\root.pem -–privkey=C:\custom-certs\root.key
When you run this command, it:
  • Adds the new custom root certificate to the certificate location in the file system.
  • Appends the custom root certificate to the TRUSTED_ROOTS store in VECS.
  • Adds the custom root certificate to vmdir.

What to do next

You can remove the original VMCA root certificate from the certificate store if your company policy requires it. If you do, you have to replace the vCenter Single Sign-On Signing certificate. See Refresh the Security Token Service Certificate.