You can generate a new certificate that is provisioned by VMCA, or a new certificate that includes VMCA as a subordinate certificate.

See Set Up vSphere Authentication Proxy to Use Custom Certificates if you want to use a custom certificate that is signed by a third-party or enterprise CA.

Prerequisites

You must have root or Administrator privileges on the system on which vSphere Authentication Proxy is running.

Procedure

  1. Make a copy of certool.cfg.
    cp /usr/lib/vmware-vmca/share/config/certool.cfg /var/lib/vmware/vmcam/ssl/vmcam.cfg
  2. Edit the copy with some information about your organization, as in the following example.
    Country = IE
    Name = vmcam
    Organization = VMware
    OrgUnit = vTSU
    State = Cork
    Locality = Cork
    Hostname = test-cam-1.test1.vmware.com
  3. Generate the new private key in /var/lib/vmware/vmcam/ssl/.
    /usr/lib/vmware-vmca/bin/certool --genkey --privkey=/var/lib/vmware/vmcam/ssl/rui.key --pubkey=/tmp/vmcam.pub --server=localhost
    For localhost, supply the FQDN of the vCenter Server.
  4. Generate the new certificate in /var/lib/vmware/vmcam/ssl/ using the key and vmcam.cfg file that you created in Step 1 and Step 2.
    /usr/lib/vmware-vmca/bin/certool --server=localhost --gencert --privkey=/var/lib/vmware/vmcam/ssl/rui.key --cert=/var/lib/vmware/vmcam/ssl/rui.crt --config=/var/lib/vmware/vmcam/ssl/vmcam.cfg
    For localhost, supply the FQDN of the vCenter Server.