If you want to use third-party certificates in your environment, you must add a trusted root certificate to the certificate store.

Prerequisites

Obtain the custom root certificate from your third-party or in-house CA.

vSphere accepts only valid CA certificates for import. To be valid, a CA certificate must have the CA bit and the keyCertSign bit set in the basic constraint and the key usage X.509 v3 certificate extensions respectively. This implies that the certificate is a CA and its purpose is for certificate signing. See https://www.rfc-editor.org/rfc/rfc5280 for more information.

Ensure that the keyCertSign bit is set for all the certificates in the chain.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for [email protected] or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. If the system prompts you, enter the credentials of your vCenter Server.
  5. Under Trusted Root Certificates, click Add.
  6. Click Browse and select the location of the certificate chain.
    You can use a file of type CER, PEM, or CRT.
  7. Click Add.
    The certificate is added to the store.