You can use vSphere Certificate Manager to generate a CSR and send the CSR to an enterprise or third-party CA for signing. You can then replace the VMCA root certificate with a custom signing certificate and replace all existing certificates with certificates that are signed by the custom CA.

You run vSphere Certificate Manager on vCenter Server to replace the VMCA root certificate with a custom signing certificate.


  • Generate the certificate chain.
  • Gather the information that you need.
    • Password for administrator@vsphere.local
    • Valid custom certificate for Root (.crt file)
    • Valid custom key for Root (.key file)


  1. Start vSphere Certificate Manager on the vCenter Server host and select option 2.
  2. Select option 2 again to start certificate replacement and respond to the prompts.
    1. Specify the full path to the root certificate when prompted.
    2. If you are replacing certificates for the first time, you are prompted for information to be used for the machine SSL certificate.
      This information includes the required FQDN of the machine and is stored in the certool.cfg file.