You can view and manage certificates by using the vSphere Client. You also can perform many certificate management tasks with the vSphere Certificate Manager utility.
- View the trusted root certificates and SSL certificates.
- Renew existing certificates or replace certificates.
- Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the certificate when the Certificate Authority returns it.
Most parts of the certificate replacement workflows are supported fully from the vSphere Client. For generating CSRs for machine SSL certificates, you can use either the vSphere Client or the Certificate Manage utility.
Supported Workflows
After you install a Platform Services Controller, the VMware Certificate Authority on that node provisions all other nodes in the environment with certificates by default. See vSphere Security Certificates for recommendations on the current recommendations for managing certificates.
- Renew Certificates
- You can have VMCA renew SSL and solution user certificates in your environment from the vSphere Client.
- Make VMCA an Intermediate CA
- You can generate a CSR using the vSphere Certificate Manager utility. You can then edit the certificate you receive from the CSR to add VMCA to the chain, and then add the certificate chain and private key to your environment. When you then renew all certificates, VMCA provisions all machines and solution users with certificates that the full chain has signed.
- Replace Certificates with Custom Certificates
- If you do not want to use VMCA, you can generate CSRs for the certificates that you want to replace. The CA returns a root certificate and a signed certificate for each CSR. You can upload the root certificate and the custom certificates from the Platform Services Controller.
In a mixed-mode environment, you can use CLI commands to replace the vCenter Single Sign-On certificate after replacing the other certificates. See Replace the VMware Directory Service Certificate in Mixed Mode Environments.
