After you have received the signed certificate from the CA and made it the VMCA root certificate, you can replace all machine SSL certificates.

These steps are essentially the same as the steps for replacing with a certificate that uses VMCA as the certificate authority. However, in this case, VMCA signs all certificates with the full chain.

Each machine must have a machine SSL certificate for secure communication with other services. When multiple vCenter Server instances are connected in Enhanced Linked Mode configuration, you must run the Machine SSL certificate generation commands on each node.


For each machine SSL certificate, the SubjectAltName must contain DNS Name=<Machine FQDN>.


  1. Make one copy of certool.cfg for each machine that needs a new certificate.
    You can find certool.cfg file in the /usr/lib/vmware-vmca/share/config/ directory.
  2. Edit the custom configuration file for each machine to include that machine's FQDN.
    Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that name for the Hostname field in the file.
  3. Generate a public/private key file pair and a certificate for each machine, passing in the configuration file that you just customized.
    For example:
    certool --genkey --privkey=machine1.priv
    certool --gencert --privkey=machine1.priv --cert machine42.crt --Name=Machine42_Cert --config machine1.cfg
  4. Stop all services and start the services that handle certificate creation, propagation, and storage.
    service-control --stop --all
    service-control --start vmafdd
    service-control --start vmdird
    service-control --start vmcad
  5. Add the new certificate to VECS.
    All machines need the new certificate in the local certificate store to communicate over SSL. You first delete the existing entry, then add the new entry.
    vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT  
    vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert machine1.cert
    --key machine1.priv
  6. Restart all services.
    service-control --start --all

Example: Replacing Machine SSL Certificates (VMCA Is Intermediate CA)

  1. Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory.
    Country = US
    Name = vmca-<FQDN-example>
    Organization = VMware
    OrgUnit = VMware Engineering
    State = California 
    Locality = Palo Alto
    Hostname = <FQDN>
  2. Generate a key pair for the machine SSL certificate. In a deployment of multiple vCenter Server instances connected in Enhanced Linked Mode configuration, run this command on each vCenter Server node.
    /usr/lib/vmware-vmca/bin/certool --genkey --privkey=ssl-key.priv

    The ssl-key.priv and files are created in the current directory.

  3. Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain.
    /usr/lib/vmware-vmca/bin/certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=ssl-config.cfg

    The new-vmca-ssl.crt file is created in the current directory.

  4. (Optional) List the content of VECS.
    /usr/lib/vmware-vmafd/bin/vecs-cli store list
    • Sample output on vCenter Server:
      output (on vCenter):
  5. Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names.
    • On each vCenter Server, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for each machine separately because each has a different FQDN.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
      /usr/lib/vmware-vmafd/bin/vecs-cli --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new-vmca-ssl.crt --key ssl-key.priv