When replacing certificates in deployments with large numbers of vCenter Server hosts, you can use the vSphere Certificate Management utility or replace certificates manually. Some best practices guide the process you choose.

Replacement of Machine SSL Certificates in Environments with Multiple vCenter Server Nodes

If your environment includes multiple vCenter Server nodes, you can replace certificates with the vSphere Client or the vSphere Certificate Manager utility, or manually with ESXCLI commands.

vSphere Certificate Manager
You run vSphere Certificate Manager on each machine. Depending on the task you perform, you are also prompted for certificate information.
Manual Certificate Replacement
For manual certificate replacement, you run the certificate replacement commands on each machine. See the following topics for details:

Replacement of Solution User Certificates in Environments with Multiple vCenter Server Systems in Enhanced Linked Mode

If your environment includes multiple vCenter Server systems in enhanced linked mode, follow these steps for certificate replacement.

Note: When you list solution user certificates in large deployments, the output of /usr/lib/vmware-vmafd/bin/dir-cli list includes all solution users from all nodes. Run /usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.
vSphere Certificate Manager
You run vSphere Certificate Manager on each machine. Depending on the task you perform, you are also prompted for certificate information.
Manual Certificate Replacement
  1. Generate or request a certificate. You need the following certificates:
    • A certificate for the machine solution user on each vCenter Server.
    • A certificate for each of the following solution users on each node:
      • vpxd solution user
      • vpxd-extension solution user
      • vsphere-webclient solution user
      • wcp solution user
  2. Replace the certificates on each node. The precise process depends on the type of certificate replacement that you are performing. See Managing Certificates with the vSphere Certificate Manager Utility.
See the following topics for details:

Certificate Replacement in Environments That Include External Solutions

Some solutions, such as VMware vCenter Site Recovery Manager or VMware vSphere Replication, are always installed on a different machine than the vCenter Server system. If you replace the default machine SSL certificate on the vCenter Server system, a connection error results if the solution attempts to connect to the vCenter Server system.

You can run the ls_update_certs script to resolve the issue. See the VMware knowledge base article at http://kb.vmware.com/kb/2109074 for details.