Generate a new certificate that is provisioned by VMware Certificate Authority (VMCA), or a new certificate that includes VMCA as a subordinate certificate.

Use the below command to check vsphere authentication proxy certificate expiry date on an existing vCenter server:

openssl x509 -noout -in /var/lib/vmware/vmcam/ssl/rui.crt -enddate

VMware vCenter Server 

Authentication proxy certificate is generated when vCenter is deployed. 

Use the steps below to replace the Authentication proxy certificate manually

NOTE: Take  offline snapshots of Vcenter Server. before proceeding Manual replacement of Certificates 

1. Make a copy of certool.cfg.
cp /usr/lib/vmware-vmca/share/config/certool.cfg /var/lib/vmware/vmcam/ssl/vmcam.cfg

2. Edit and copy with some information about your organization, as in the following example.

less /var/lib/vmware/vmcam/ssl/vmcam.cfg

Country = US
Name    = CA
Organization = VMware
OrgUnit = VMware Engineering
State = California
Locality = Palo Alto
IPAddress = 127.0.0.1
Email = [email protected]
Hostname = server.acme.com

3. Rename old certificate and key using below command:

mv /var/lib/vmware/vmcam/ssl/rui.crt /var/lib/vmware/vmcam/ssl/rui.crt.old

mv /var/lib/vmware/vmcam/ssl/rui.key /var/lib/vmware/vmcam/ssl/rui.key.old

4. generate a new private key (Specify FQDN instead of localhost)

/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/var/lib/vmware/vmcam/ssl/rui.key --pubkey=/tmp/vmcam.pub --server=localhost

5. Genrate the certificate using newly generated private key:(Specify FQDN instead of localhost)

/usr/lib/vmware-vmca/bin/certool --server=localhost --gencert --privkey=/var/lib/vmware/vmcam/ssl/rui.key --cert=/var/lib/vmware/vmcam/ssl/rui.crt --config=/var/lib/vmware/vmcam/ssl/vmcam.cfg

6. Restart vmcam service

Service-control --stop vmcam && service-control --start vmcam

Refer Generate a New Certificate for vSphere Authentication Proxy