This article explains when and how to use vSphere Certificate Manager.
The vSphere Certificate Manager can be used to:
Please note that in vSphere 7.x you can perform steps 1 and 2 through the vCenter user interface.
Note: In vSphere vCenter 7.x/8.x, in the user interface, you can update the Machine SSL certificate or generate a certificate signing request by going to
In the Machine SSL Certificate section, select the Actions pull-down menu.
Note: In Windows based vCenter, you must be logged in as an administrator or "Run as Administrator" if user access control is enabled.
To launch the vSphere Certificate Manager, execute the following commands:
When you run the certificate-manager command, you are presented with the 8 options as shown in the screenshots for Windows and appliance respectively.
Option # | Detail | Required Information |
1 | Replace the Machine SSL certificate with a Custom CA Certificate Machine SSL Certificate provides a sub-option to generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate. |
|
2 | Replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates. This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate. |
Do you wish to replace all Solution User certificates with custom CA?
Note: You can also perform this step later using Option 5.
Note: You can also perform this step later using Option 6. Do you wish to replace Machine SSL Certificate with custom CA?
Note: You can also perform this step later using Option 1.
Note: You can also perform this step later using Option 3. |
3 | Replace the Machine SSL certificate with a VMCA Generated Certificate |
|
4 | Regenerate a new default VMCA Root Certificate and Replace all Certificates |
|
5 | Replace the Solution User Certificates with Custom CA Certificates |
|
6 | Replace the Solution User Certificates with VMCA generated Certificates |
|
7 | Revert last performed operation by re-publishing old certificates |
|
8 | Reset all certificates |
|
Note 2: The Certool.cfg is located at:
The default configuration of certool.cfg should look like the following Screenshot:
If the PNID on the vCenter is unknown, it can be obtained with this command for Windows or the VCSA respectively:
Changing vCenter Server certificates may impact connected products ie: SRM, vSphere Replication, Horizon View, etc.