This article covers two scenarios for intermediate certificate management on vCenter Server:

• Initial Setup: Configuring VMCA as a subordinate/intermediate CA under your enterprise PKI
• Certificate Renewal: Replacing an expired intermediate certificate with an updated certificate from your CA

Note: If your new intermediate certificate has different Subject/Authority Key Identifiers than the old certificate, you will need to renew all certificates in vCenter. See the Prerequisites section for validation steps.

• 7.0.x
• 8.0.x

When VMCA is configured as a subordinate CA, it uses an intermediate certificate signed by your enterprise or third-party CA. This intermediate certificate has an expiration date. When it expires (or approaches expiration), the certificate chain breaks, which can cause:

• vCenter service startup failures
• Trust validation errors for ESXi hosts
• Client connection/certificate warnings

Prerequisites

⚠️ IMPORTANT: Complete all prerequisite steps before proceeding with the resolution.

1. Take a Snapshot

Take an offline snapshot of the vCenter Server VM before making any certificate changes. For Enhanced Linked Mode environments, snapshot all linked vCenter Servers simultaneously while powered off.

2. Validate Current Certificate Chain

Review the current certificates to understand your environment:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | less
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

For detailed certificate review procedures, see: KB 321380 - Manually reviewing certificates in VMware Endpoint Certificate Store

3. Validate Key Identifiers (Critical for Renewals)

If you are replacing an expired intermediate certificate, you must verify that the Subject Key Identifier and Authority Key Identifier of the new certificate match the old certificate.

Compare the X509v3 Subject Key Identifier from your current intermediate certificate with the new one from your CA. If they differ, the certificate is not a simple renewal—you will need to regenerate all downstream certificates.

Note: If the key identifiers do not match, follow KB 316601 - Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate for a full certificate replacement.

4. Obtain Your New Certificate

Ensure you have obtained the renewed or new intermediate certificate from your CA before proceeding.

For initial setup (generating a CSR): See KB 328308 - Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority

CSR Requirements

If generating a new CSR, it must meet these requirements:

• Key size: 2048 bits (minimum) to 8192 bits (maximum), PEM encoded
• PEM format (PKCS8 or PKCS1 for RSA keys)
• CA extension: basicConstraints = critical,CA:true
• Key Usage: keyUsage = critical,digitalSignature,keyCertSign
• CRL signing must be enabled
• Extended Key Usage: empty or Server Authentication
• No wildcards or multiple DNS names

For Microsoft CA template creation, see: KB 315271 - Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere

Resolution

Step 1: Back Up Current Certificates

Back up the current Machine SSL certificate and key:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/core/ssl_backup.cer

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/core/ssl_key.key

Step 2: Prepare the Certificate Chain File

Create a certificate chain file containing all certificates in the proper order. The order is critical:

-----BEGIN CERTIFICATE-----
<VMCA/Subordinate CA Certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate CA Certificate (if applicable)>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Root CA Certificate>
-----END CERTIFICATE-----

For detailed certificate chaining guidance, see: KB 368727 - How to correctly chain custom root/intermediate SSL certificates to import into vCenter

Step 3: Stop Services and Start Certificate Services

Stop all vCenter services, then start only the services required for certificate operations:

service-control --stop --all
service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad

Note: Starting only these three services during certificate work minimizes risk. For more information on service handling, see: KB 340943 - Stop, Start or Restart Services on vCenter Server

Step 4: Remove Old Intermediate Certificate (Renewals Only)

If you are replacing an expired intermediate certificate, remove the old certificate from TRUSTED_ROOTS before adding the new one.

Follow the procedure in: KB 326288 - Removing CA Certificates from the TRUSTED_ROOTS store in VECS

⚠️ WARNING: Be absolutely certain you are removing the correct certificate. Removing the wrong certificate can cause irreparable damage to the environment.

Step 5: Replace the VMCA Root Certificate (Initial Setup)

For initial subordinate CA setup, replace the VMCA root with your signed certificate:

cd /usr/lib/vmware-vmca/bin/
./certool --rootca --cert=/path/to/rootca_chain.crt --privkey=/path/to/vmca.key

This command:

• Adds the new custom root certificate to the file system
• Appends the certificate to TRUSTED_ROOTS store in VECS (after a delay)
• Adds the certificate to vmdir (after a delay)

Step 6: Publish Certificate to VMware Directory Service

Publish the new certificate to vmdir to propagate it across all nodes:

cd /usr/lib/vmware-vmafd/bin/

For a single certificate in the chain:

./dir-cli trustedcert publish --cert /path/to/rootca_chain.crt

For multiple certificates in the chain:

./dir-cli trustedcert publish --cert /path/to/rootca_chain.crt --chain

Important: Use the --chain flag when your certificate file contains more than one certificate (e.g., subordinate CA + intermediate + root).

Replication Timing

• vmdir replication between nodes occurs every 30 seconds
• VECS polls vmdir for new root certificates every 5 minutes
• You do not need to manually add the certificate to VECS—it will sync automatically

Step 7: Force Refresh VECS (Optional)

If you need to expedite the sync rather than waiting for the 5-minute polling interval:

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Step 8: Rebuild Machine SSL Certificate Chain (Renewals Only)

If you are replacing an expired intermediate, rebuild the Machine SSL certificate chain:

1. Remove the old Machine SSL certificate:

   /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT -y
   

2. Create the new certificate chain file (machine cert + intermediate + root):

   cat machine_certificate.cer intermediate_certificate.cer root_certificate.cer > /var/core/ssl.cer
   

3. Import the new certificate chain:

   /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /var/core/ssl.cer --key /var/core/ssl_key.key
   

4. Force refresh VECS again:

   /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
   

Step 9: Restart All vCenter Services

service-control --stop --all
service-control --start --all

Verify all services start successfully and that you can log in to the vSphere Client.

Post-Change: ESXi Host Certificate Renewal

After updating the vCenter intermediate certificate, ESXi hosts managed by this vCenter should have their certificates renewed so they chain to the updated CA.

Renew ESXi Certificates via vSphere Client

1. In the vSphere Client, select a host
2. Navigate to Configure > System > Certificate
3. Click Manage with VMCA (or Refresh CA Certificates for custom mode)
4. Click Renew
5. Wait approximately 60 seconds, then refresh the page
6. Verify the Issuer field shows your organization's information

For detailed ESXi certificate renewal procedures, see: TechDocs - Renew or Refresh ESXi Certificates

Note: ESXi hosts must not be in maintenance mode when renewing certificates. Ensure time synchronization and DNS resolution are working correctly between vCenter and ESXi hosts.