You can add custom Machine SSL certificates and custom solution user certificates to the certificate store from the Platform Services Controller.

In most cases, replacing the machine SSL certificate for each component is sufficient. The solution user certificate remains behind a proxy.


Generate certificate signing requests (CSRs) for each certificate that you want to replace. You can generate the CSRs with the Certificate Manager utility. You can also generate a CSR for a machine SSL certificate using the vSphere Client. Place the certificate and private key in a location that the Platform Services Controller can access.


  1. Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. Enter the credentials of your vCenter Server.
  5. To replace a machine SSL certificate follow, these steps:
    1. Under Machine SSL Certificate, for the certificate that you want to replace, click Actions > Replace.
    2. Browse for the machine SSL certificate (.cer, .pem, or .crt file) and the private key (.key file).
    3. Click Replace.
  6. To replace the solution user certificates, follow these steps:
    1. Under Solution Certificates, for the first of the certificates for a component, for example, machine, click Actions > Replace.
    2. Click Browse to replace the certificate chain, then click Browse to replace the private key.
    3. Click Replace.
    4. Repeat the process for the other certificates for the same component.


A message appears that the certificate has been replaced.

What to do next

Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line:


On Windows, the service-control command is located at VCENTER_INSTALL_PATH\bin.

service-control --stop --all 
service-control --start VMWareAfdService 
service-control --start VMWareDirectoryService 
service-control --start VMWareCertificateService
vCenter Server Appliance
service-control --stop --all
service-control --start vmafdd 
service-control --start vmdird 
service-control --start vmcad