You can view and manage certificates by using the vSphere Client. You also can perform many certificate management tasks with the vSphere Certificate Manager utility.
- View the machine SSL, Trusted Root, and Security Token Service (STS) certificates.
- Add new Trusted Root certificates, and renew or replace existing machine SSL and STS certificates.
- Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the certificate when the Certificate Authority returns it.
Most parts of the certificate replacement workflows are supported fully from the vSphere Client. For generating CSRs for machine SSL certificates, you can use either the vSphere Client or the Certificate Manage utility.
After you install a vCenter Server, the VMware Certificate Authority on that node provisions all other nodes in the environment with certificates by default. See vSphere Security Certificates for the current recommendations for managing certificates.
- Renew Certificates
- You can have the VMCA renew machine SSL, solution user, and STS certificates in your environment from the vSphere Client.
- Make VMCA an Intermediate CA
- You can generate a CSR using the vSphere Certificate Manager utility. You can then edit the certificate you receive from the CSR to add the VMCA to the chain, and then add the certificate chain and private key to your environment. When you then renew all certificates, the VMCA provisions all machines and solution users with certificates that the full chain has signed.
- Replace Certificates with Custom Certificates
- If you do not want to use the VMCA, you can generate CSRs for the certificates that you want to replace. The CA returns a root certificate and a signed certificate for each CSR. You can upload the root certificate and the custom certificates from the vCenter Server.