When you use VMCA as an intermediate CA, you can replace the machine SSL certificate explicitly. First you replace the VMCA root certificate on the vCenter Server, then you can replace the machine SSL certificate, which will be signed by the VMCA's new root. You can also use this option to replace machine SSL certificates that are corrupt or about to expire.

When you replace the existing machine SSL certificate with a new VMCA-signed certificate, vSphere Certificate Manager prompts you for information and enters all values, except for the password and the IP address of the vCenter Server, into the certool.cfg file.

  • Password for [email protected]
  • Two-letter country code
  • Company name
  • Organization name
  • Organization unit
  • State
  • Locality
  • IP address (optional)
  • Email
  • Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
  • IP address of vCenter Server.
  • VMCA name, that is, the fully qualified domain name of the machine on which the certificate configuration is running.
Note: As of vSphere 7.0 Update 3o, the OU (organizationalUnitName) field is no longer mandatory.

Prerequisites

  • You must know the following information to run Certificate Manager with this option.
    • Password for [email protected].
    • The FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other properties default to the predefined values but can be changed.
    • Host name or IP address of the vCenter Server system.

Procedure

  1. Start vSphere Certificate Manager and select option 3.
  2. Respond to the prompts.
    Certificate Manager stores the information in the certool.cfg file.

Results

vSphere Certificate Manager replaces the machine SSL certificate.