Managing Certificates with the vSphere Client

You can view and manage certificates by using the vSphere Client. You also can perform many certificate management tasks with the vSphere Certificate Manager utility.

The vSphere Client enables you to perform these management tasks.

View the machine SSL, Trusted Root, and Security Token Service (STS) certificates.
Add new Trusted Root certificates, and renew or replace existing machine SSL and STS certificates.
Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the certificate when the Certificate Authority returns it.

Most parts of the certificate replacement workflows are supported fully from the vSphere Client. For generating CSRs for machine SSL certificates, you can use either the vSphere Client or the Certificate Manage utility.

Supported Workflows

After you install a vCenter Server, the VMware Certificate Authority on that node provisions all other nodes in the environment with certificates by default. See vSphere Security Certificates for the current recommendations for managing certificates.

You can use one of the following workflows to renew or replace certificates.

Renew Certificates: You can have the VMCA renew machine SSL, solution user, and STS certificates in your environment from the vSphere Client.

Make VMCA an Intermediate CA: You can generate a CSR using the vSphere Certificate Manager utility. You can then edit the certificate you receive from the CSR to add the VMCA to the chain, and then add the certificate chain and private key to your environment. When you then renew all certificates, the VMCA provisions all machines and solution users with certificates that the full chain has signed.
Replace Certificates with Custom Certificates: If you do not want to use the VMCA, you can generate CSRs for the certificates that you want to replace. The CA returns a root certificate and a signed certificate for each CSR. You can upload the root certificate and the custom certificates from the vCenter Server.

Note: If you use the VMCA as an intermediate CA, or use custom certificates, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk. For more information about managing certificates within a vSphere environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at http://vmware.com/go/hybridvmca.