The different vRealize Suite products use TLS to encrypt session information between products. By default, the VMware Certificate Authority (VMCA), which is part of the Platform Services Controller, supplies certificates to some of the products and services. Other components are provisioned with self-signed certificates.

If you want to replace the default certificates with your own enterprise certificates or CA-signed certificates, the process differs for different components.

Certificate checking is enabled by default and TLS certificates are used to encrypt network traffic. Starting with vSphere 6.0, the VMCA assigns certificates to ESXi hosts and vCenter Server systems as part of the installation process. You can replace these certificates to use VMCA as an intermediate CA, or you can use custom certificates in your environment. vSphere version 5.5 and earlier uses self-signed certificates and you can use or replace these certificates as needed.

You can replace vSphere 6.0 certificates by using the vSphere Certificate Manager utility or certificate management CLIs. You can replace vSphere 5.5 and earlier certificates by using the Certificate Automation Tool.

Products that Use VMCA

Several VMware products receive certificates from the VMCA during installation. For those products, you have several options.
  • Leave the certificates in place for internal deployments, or consider replacing external-facing certificates but leaving internal-facing VMCA-signed certificates in place.
  • Make VMCA an intermediate certificate. Going forward, uses the full chain to sign.
  • Replace the VMCA-signed certificates with custom certificates.

See vSphere Security Considerations.

Products that Use Self-Signed Certificates

You can use products that use self-signed certificates as is. Browsers prompt users to accept or reject a self-signed certificate on first use. Users can click a link to open and view the certificate details before accepting or rejecting it. Browsers store accepted certificates locally and silently accept them for subsequent uses. You can avoid the acceptance step by replacing self-signed certificates with enterprise certificates or CA-signed certificates where needed. Product documentation explains how to replace self-signed certificates.
Table 1. Replacing Self-Signed Certificates
Product Documentation
vSphere Replication See Change the SSL Certificate of the vSphere Replication Appliance.
vRealize Automation See Updating vRealize Automation Certificates.
vRealize Log Insight See Install a Custom SSL Certificate.
vRealize Orchestrator See Changing SSL Certificates.
vRealize Operations Manager See Add a Custom Certificate to vRealize Operations Manager.
vRealize Business for Cloud Standard See Change or Replace the SSL Certificate of vRealize Business for Cloud.