You can view and manage certificates by using the vSphere Client. You also can perform many certificate management tasks with the vSphere Certificate Manager utility.

The vSphere Client enables you to perform these management tasks.
  • View the trusted root certificates and SSL certificates.
  • Renew existing certificates or replace certificates.
  • Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the certificate when the Certificate Authority returns it.

Most parts of the certificate replacement workflows are supported fully from the vSphere Client. For generating CSRs for machine SSL certificates, you can use either the vSphere Client or the Certificate Manage utility.

Supported Workflows

After you install a Platform Services Controller, the VMware Certificate Authority on that node provisions all other nodes in the environment with certificates by default. See vSphere Security Certificates for recommendations on the current recommendations for managing certificates.

You can use one of the following workflows to renew or replace certificates.
Renew Certificates
You can have VMCA renew SSL and solution user certificates in your environment from the vSphere Client.
Make VMCA an Intermediate CA
You can generate a CSR using the vSphere Certificate Manager utility. You can then edit the certificate you receive from the CSR to add VMCA to the chain, and then add the certificate chain and private key to your environment. When you then renew all certificates, VMCA provisions all machines and solution users with certificates that the full chain has signed.
Replace Certificates with Custom Certificates
If you do not want to use VMCA, you can generate CSRs for the certificates that you want to replace. The CA returns a root certificate and a signed certificate for each CSR. You can upload the root certificate and the custom certificates from the Platform Services Controller.
Note: If you use VMCA as an intermediate CA, or use custom certificates, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk. For more information about managing certificates within a vSphere environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at

In a mixed-mode environment, you can use CLI commands to replace the vCenter Single Sign-On certificate after replacing the other certificates. See Replace the VMware Directory Service Certificate in Mixed Mode Environments.