You can use custom certificates from an enterprise or third-party CA. The first step is requesting the certificates from the certificate authority and importing the root certificates into VMware Endpoint Certificate Store (VECS).


The certificate must meet the following requirements:

  • Key size: 2048 bits or more (PEM encoded)
  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
  • x509 version 3
  • For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • CRT format
  • Contains the following Key Usages: Digital Signature, Key Encipherment
  • Start time of one day before the current time.
  • CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.


  1. Send Certificate Signing Requests (CSRs) for the following certificates to your enterprise or third-party certificate provider.
    • A machine SSL certificate for each machine. For the machine SSL certificate, the SubjectAltName field must contain the fully qualified domain name (DNS NAME=machine_FQDN).
    • Optionally, four solution user certificates for each embedded system or management node. Solution user certificates should not include IP address, host name, or email address. Each certificate must have a different certificate Subject.
    • Optionally, a machine solution user certificate for external Platform Services Controller instances. This certificate differs from the machine SSL certificate for the Platform Services Controller.

    Typically, the result is a PEM file for the trusted chain, plus the signed SSL certificates for each Platform Services Controller or management node.

  2. List the TRUSTED_ROOTS and machine SSL stores.
    vecs-cli store list 
    1. Ensure that the current root certificate and all machine SSL certificates are signed by VMCA.
    2. Note down the Serial number, issuer, and Subject CN fields.
    3. (Optional) With a Web browser, open an HTTPS connection to a node where the certificate will be replaced, check the certificate information, and ensure that it matches the machine SSL certificate.
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.
    The service names differ on Windows and the vCenter Server Appliance.
    Note: If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
    service-control --stop --all
    service-control --start VMWareAfdService
    service-control --start VMWareDirectoryService
    service-control --start VMWareCertificateService
    vCenter Server Appliance
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  4. Publish the custom root certificate.
    dir-cli trustedcert publish --cert <my_custom_root>
    If you do not specify a user name and password on the command line, you are prompted.
  5. Restart all services.
    service-control --start --all

What to do next

You can remove the original VMCA root certificate from the certificate store if company policy requires it. If you do, you have to refresh the vCenter Single Sign-On certificate. See Refresh the Security Token Service Certificate.