Note: Ensure a valid backup of the vCenter Server and a snapshot before proceeding.VMware recommends having offline Snapshots (virtual machine powered off) of all nodes in the same SSO domain, aka running in ELM replication, before any activity that will include changes in the vCenter Server.
VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

• Starting 7.x versions of the vCenter Server use the new improved certificate management tool  vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow. 
  
  
• Download and install vCert on the vCenter Server Appliance as described in Installation Section.
  
  
• Replacing Machine SSL certificate.
  • Use the Option 1 - Machine SSL certificate from the menu 3: Manage Certificates and replace it with VMCA or Custom certificate as per the requirement.

Follow the below steps to replace the vCenter Machine SSL certificate manually with VMCA by using the default certificate-manager tool:

1. Launch the vSphere Certificate Manager.
   
   For vCenter Server Appliance:
   
   /usr/lib/vmware-vmca/bin/certificate-manager
   
   For Windows vCenter Server 6.x:
   
   C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
    
2. Select Option 3 (Replace Machine SSL certificate with VMCA Certificate)
    
3. Provide the [email protected] password when prompted. 

4. If this replacement is on a vCenter Server with an external Platform Services Controller, then the following prompt will appear Performing operation on distributed setup, please provide valid Infrastructure Server IP. Enter the FQDN or IP address of the external Platform Services Controller this vCenter Server node is pointed to.

   Note: For vCenter 6.0 U3 onwards the new Machine_SSL certificate Host Name(Case sensitive)should match with previous Machine_SSL certificate.
    
5. If this is the first time VMCA certificates have been re-generated on this system you will be asked to configure the certool.cfg. On subsequent tasks you will be offered to re-use these values.

Note:These values will be used to define certificates issued by VMCA, following are some important values:

• Name - Enter FQDN of the vCenter Server or Platform Services Controller where you are trying to replace the certificate. This value will be used as CN or Common Name in the Certificate
• IPAddress - This is an optional parameter, enter the vCenter Server IP Address if vCenter Server PNID (hostname used during deployment, generally it will be FQDN) is IP Address. This value will be used in SAN (Subject Alternative Name) field in the Certificate
• Hostname - Enter FQDN of the vCenter Server or Platform Services Controller where you are trying to replace the certificate. This value will be used in SAN (Subject Alternative Name) field in the Certificate

Enter these values as prompted by the VMCA:

Please configure certool.cfg file with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : Acme] :
Enter proper value for 'Organization' [Default value : AcmeOrg] :
Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' [optional] :
Enter proper value for 'Email' [Default value : [email protected]] :
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :

Enter proper value for VMCA 'Name' :  (Note: This information will be requested from vCenter Server 6.0 U3 and higher builds, you may use the FQDN of vCenter Server for this field. It will be used as Common Name for the VMCA Root Certificate)

Warning

• If you are running an external Platform Services Controller you will need to restart the services on the external vCenter Server 6.x.