You can use custom certificates from an enterprise or third-party CA. The first step is requesting the certificates from the certificate authority and importing the root certificates into VMware Endpoint Certificate Store (VECS).


The certificate must meet the following requirements:

  • Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
  • x509 version 3
  • For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • CRT format
  • Contains the following Key Usages: Digital Signature, Key Encipherment
  • Start time of one day before the current time.
  • CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.


  1. Send the Certificate Signing Requests (CSRs) for the following certificates to your enterprise or third-party certificate provider.
    • A machine SSL certificate for each machine. For the machine SSL certificate, the SubjectAltName field must contain the fully qualified domain name (DNS NAME=machine_FQDN).
    • Optionally, five solution user certificates for each node. Solution user certificates do not need to include IP address, host name, or email address. Each certificate must have a different certificate Subject.

    Typically, the result is a PEM file for the trusted chain, plus the signed SSL certificates for each vCenter Server node.

  2. List the TRUSTED_ROOTS and the machine SSL stores.
    vecs-cli store list 
    1. Ensure that the current root certificate and all machine SSL certificates are signed by VMCA.
    2. Note down the Serial number, issuer, and Subject CN fields.
    3. (Optional) With a Web browser, open an HTTPS connection to a node where the certificate is to be replaced, view the certificate information, and ensure that it matches the machine SSL certificate.
  3. Stop all services and start the services that handle certificate creation, propagation, and storage.
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  4. Publish the custom root certificate.
    dir-cli trustedcert publish --cert <my_custom_root>
    If you do not specify a user name and password on the command line, you are prompted.
  5. Restart all services.
    service-control --start --all

What to do next

You can remove the original VMCA root certificate from the certificate store if your company policy requires it. If you do, you have to refresh the vCenter Single Sign-On certificate. See Replace a vCenter Server STS Certificate Using the Command Line.