The vSphere Certificate Manager utility allows you to perform most certificate management tasks interactively from the command line. vSphere Certificate Manager prompts you for the task to perform, for certificate locations and other information as needed, and then stops and starts services and replaces certificates for you.

To understand more about options for replacing the default certificates, see Replacing vSphere Certificates.

Note: If you use the VMCA as an intermediate CA, or use custom certificates, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk. For more information about managing certificates within a vSphere environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at http://vmware.com/go/hybridvmca.

If you use vSphere Certificate Manager, you are not responsible for placing the certificates in VECS (VMware Endpoint Certificate Store) and you are not responsible for starting and stopping services.

You run vSphere Certificate Manager options in sequence to complete a workflow. Several options, for example, generating CSRs, are used in different workflows. Before you run vSphere Certificate Manager, be sure that you understand the replacement process and procure the certificates that you want to use.

Caution: vSphere Certificate Manager supports one level of revert. If you run vSphere Certificate Manager twice and notice that you unintentionally corrupted your environment, the tool cannot revert the first of the two runs.

vSphere Certificate Manager Utility Location

The vSphere Certificate Manager utility is located at:

/usr/lib/vmware-vmca/bin/certificate-manager
Note:

When running vSphere Certificate Manager, some options prompt you as follows:

Enter proper value for VMCA 'Name':

Respond to this prompt by entering the fully qualified domain name of the machine on which the certificate configuration is running.

Workflows in the vSphere Certificate Manager Utility

The following table presents an overview of the certificate replacement workflows you can accomplish by using the vSphere Certificate Manager utility.

Table 1. Workflows in the vSphere Certificate Management Utility
Workflow Description See
Replacing VMCA root certificate with custom signing certificate and replacing all certificates To generate the VMCA root certificate, and replace all certificates, use Option 4, Regenerate a new VMCA Root certificate and replace all Certificates. Regenerate a New VMCA Root Certificate and Replace All Certificates Using the Certificate Manager
Making VMCA an intermediate certificate authority To make VMCA an intermediate CA, you must run the vSphere Certificate Manager utility several times and use multiple options. This workflow gives the complete set of steps for replacing both machine SSL certificates and solution user certificates. Make VMCA an Intermediate Certificate Authority Using the Certificate Manager
Replacing all certificates with custom certificates To replace all certificates with custom certificates, you must run the vSphere Certificate Manager utility several times and use multiple options. This workflow gives the complete set of steps for replacing both machine SSL certificates and solution user certificates. Replace All Certificates with a Custom Certificate Using the Certificate Manager
Reverting the last performed operation To revert the last performed certificate operation and return to the previous state, use Option 7, Revert last performed operation by re-publishing old certificates. Revert Last Performed Operation by Republishing Old Certificates Using the Certificate Manager
Resetting all certificates To replace all existing vCenter certificates with certificates that are signed by VMCA, use Option 8, Reset all Certificates. Reset All Certificates Using the Certificate Manager