Using custom certificates with vSphere Authentication Proxy consists of several steps. First you generate a CSR and send it to your CA for signing. Then you place the signed certificate and key file in a location that vSphere Authentication Proxy can access.

By default, vSphere Authentication Proxy generates a CSR during first boot and asks VMCA to sign that CSR. vSphere Authentication Proxy registers with vCenter Server using that certificate. You can use custom certificates in your environment, if you add those certificates to vCenter Server.


  1. Generate a CSR for vSphere Authentication Proxy.
    1. Create a configuration file, /var/lib/vmware/vmcam/ssl/vmcam.cfg, as in the following example.
      [ req ]
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      [ v3_req ]
      basicConstraints = CA:false
      keyUsage = nonRepudiation, digitalSignature, keyEncipherment
      subjectAltName =
      [ req_distinguished_name ]
      countryName = US
      stateOrProvinceName = NY
      localityName = New York
      0.organizationName = Example Inc.
      organizationalUnitName = IT Org
      commonName =

      Note the following:

      • subjectAltName: Use the format DNS:FQDN_of_vCenter_Appliance_to_use_the_CA-signed certificate.
      • commonName: Use the same FQDN of the vCenter Appliance used in subjectAltName.
    2. Run openssl to generate a CSR file and a key file, passing in the configuration file.
      openssl req -new -nodes -out vmcam.csr -newkey rsa:2048 -keyout /var/lib/vmware/vmcam/ssl/rui.key -config /var/lib/vmware/vmcam/ssl/vmcam.cfg
  2. Back up the rui.crt certificate and rui.key files, which are stored in the following location.
  3. Unregister vSphere Authentication Proxy.
    1. Go to the /usr/lib/vmware-vmcam/bin directory where the camregister script is located.
    2. Run the following command.
      camregister --unregister -a VC_address -u user
      user must be a vCenter Single Sign-On user that has administrator permissions on vCenter Server.
  4. Stop the vSphere Authentication Proxy service.
    Tool Steps
    vCenter Server Configuration Management Interface
    1. In a Web browser, go to the vCenter Server Configuration Management Interface, https://vcenter-IP-address-or-FQDN:5480.
    2. Log in as root.

      The default root password is the password that you set while deploying the vCenter Server.

    3. Click Services, and click VMware vSphere Authentication Proxy.
    4. Click Stop.
    service-control --stop vmcam
  5. Replace the existing rui.crt certificate and rui.key files with the files that you received from your CA.
  6. Restart the vSphere Authentication Proxy service.
  7. Reregister vSphere Authentication Proxy explicitly with vCenter Server by using the new certificate and key.
    camregister --register -a VC_address -u user -c full_path_to_rui.crt -k full_path_to_rui.key