When replacing certificates in deployments with large numbers of vCenter Server hosts, you can use the vSphere Certificate Management utility or replace certificates manually using the CLIs. Some best practices guide the process you choose.

Replacement of Machine SSL Certificates in Environments with Multiple vCenter Server Systems

If your environment includes multiple vCenter Server systems, you can replace machine SSL certificates with the vSphere Client or the vSphere Certificate Manager utility, or manually with CLI commands.

Using the vSphere Certificate Manager to Replace Machine SSL Certificates on Multiple vCenter Server Systems
You run vSphere Certificate Manager on each machine. Depending on the task you perform, you are also prompted for certificate information. See the following topics for details:
Using the CLI to Manually Replace Machine SSL Certificates on Multiple vCenter Server Systems
For manual certificate replacement, you run the certificate replacement CLI commands on each machine. See the following topics for details:

Replacement of Solution User Certificates in Environments with Multiple vCenter Server Systems in Enhanced Linked Mode

If your environment includes multiple vCenter Server systems in enhanced linked mode, follow these steps for replacing solution user certificates.

Note: When you list solution user certificates in large deployments, the output of /usr/lib/vmware-vmafd/bin/dir-cli list includes all solution users from all nodes. Run /usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.
Using the vSphere Certificate Manager to Replace Machine SSL Certificates on vCenter Server Systems in ELM
You run vSphere Certificate Manager on each machine. Depending on the task you perform, you are also prompted for certificate information. See Managing Certificates Using the vSphere Certificate Manager Utility.
Using the CLI to Manually Replace Machine SSL Certificates on vCenter Server Systems in ELM

The high-level steps to manually replace machine SSL certificates on vCenter Server in ELM include:

  1. Generating or requesting a certificate.

    You need the following certificates:

    • A certificate for the machine solution user on each vCenter Server.
    • A certificate for each of the following solution users on each node:
      • vpxd solution user
      • vpxd-extension solution user
      • vsphere-webclient solution user
      • wcp solution user
  2. Using the CLI commands to replace the certificates on each node.

    The precise process depends on the type of certificate replacement that you are performing. See the following topics for details:

Certificate Replacement in VMware Environments That Include External Solutions

Some solutions, such as VMware vCenter Site Recovery Manager or VMware vSphere Replication, are always installed on a different machine than the vCenter Server system. If you replace the default machine SSL certificate on the vCenter Server system, a connection error results if the solution attempts to connect to the vCenter Server system.

You can run the ls_update_certs script to resolve the issue. See the VMware knowledge base article at https://kb.vmware.com/s/article/2109074.