This article explains when and how to use vSphere Certificate Manager.
The vSphere Certificate Manager can be used to:
Please note that in vSphere 7.x perform steps 1 and 2 through the vCenter user interface.
VMware vCenter Server
Note: In vSphere vCenter 7.x/8.x, in the user interface, update the Machine SSL certificate or generate a certificate signing request by going to
In the Machine SSL Certificate section, select the Actions pull-down menu.
Note: In Windows-based vCenter, login as an administrator or "Run as Administrator" if user access control is enabled.
Take a snapshot of the vCenter before performing this activity. If the vCenter is in linked mode, take offline snapshots of all the linked vCenter.
To launch the vSphere Certificate Manager, execute the following commands:
When running the certificate-manager command, the screen presents with the 8 options as shown in the screenshots for Windows and appliance respectively.
Option # | Detail | Required Information |
1 | Replace the Machine SSL certificate with a Custom CA Certificate Machine SSL Certificate provides a sub-option to generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate. |
|
2 | Replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates. This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate. |
Is replacing all Solution User certificates with custom CA is needed?
Note: Optionally perform this step later using Option 5.
Note: Optionally perform this step later using Option 6. Is replacing the Machine SSL Certificate with custom CA needed?
Note: Optionally perform this step later using Option 1.
Note: Optionally perform this step later using Option 3. |
3 | Replace the Machine SSL certificate with a VMCA Generated Certificate |
|
4 | Regenerate a new default VMCA Root Certificate and Replace all Certificates |
|
5 | Replace the Solution User Certificates with Custom CA Certificates |
|
6 | Replace the Solution User Certificates with VMCA generated Certificates |
|
7 | Revert last performed operation by re-publishing old certificates |
|
8 | Reset all certificates |
|
Note 2: The Certool.cfg is located at:
/usr/lib/vmware-vmca/share/config/certool.cfg
The default configuration of certool.cfg should look like the following Screenshot:
If the PNID on the vCenter is unknown, it can be obtained with this command for Windows or the VCSA respectively:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
certificate-manager.log
file in these locations:/var/log/vmware/vmcad/certificate-manager.log
certool.cfg
file is located at:/usr/lib/vmware-vmca/share/config/certool.cfg
/usr/lib/vmware-vmca/share/config/certool.cfg
Changing vCenter Server certificates may impact connected products ie: SRM, vSphere Replication, Horizon View, etc.