You can add custom Machine SSL certificates to the certificate store.

Usually, replacing the machine SSL certificate for each component is sufficient.


Generate certificate signing requests (CSRs) for each certificate that you want to replace. You can generate the CSRs with the Certificate Manager utility. You can also generate a CSR for a machine SSL certificate using the vSphere Client. Place the certificate and private key in a location that the vCenter Server can access.


  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. If the system prompts you, enter the credentials of your vCenter Server.
  5. Under Machine SSL Certificate, for the certificate that you want to replace, click Actions > Import and Replace Certificate.
  6. Click the appropriate certificate replacement option and click Next.
    Option Description
    Replace with VMCA Creates a VMCA-generated CSR to replace the current certificate.
    Replace with certificate generated from vCenter Server Use a certificate signed using a vCenter Server generated CSR to replace the current certificate.
    Replace with external CA certificate (requires private key) Use a certificate signed by an external CA to replace the current certificate.
  7. Enter the CSR information, or upload the appropriate certificates.
  8. Click Replace.
    vCenter Server services restart automatically.