vCert will issue this warning if the PNID isn't present in the Subject Alternative Name (SAN) field of the machine SSL certificate or if there is a case-sensitivity mismatch. vCenter Server PNIDs are strictly case-sensitive.

For example, if the vCenter PNID is configured in uppercase, but the certificate SAN is in lowercase, the vCert tool will report a NO PNID validation failure.

Take an offline snapshot of the VCSA and any VCSAs in ELM prior to making any changes to the VCSA configuration.

If using VMware Certificate Authority to issue certificates, regenerate the VCSA machine SSL using vCert.  An example of using vCert with the most common options for regenerating the VMCA signed certificates is below, but in certain cases other values may be required:

# cd vCert-6.0.1-20250516
# python vCert.py

------------------------!!! Attention !!!------------------------

This script is intended to be used at the direction of Broadcom Global Support.

Changes made could render this system inoperable. Please ensure you have a valid
VAMI-based backup or offline snapshots of ALL vCenter/PSC nodes in the SSO domain
before continuing. Please refer to the following Knowledge Base article:
https://knowledge.broadcom.com/external/article?legacyId=85662

Do you acknowledge the risks and wish to continue? [y/n]:

VCF/VVF Certificate Management Utility (version 6.0.1)
-----------------------------------------------------------------
 1. Check current certificate status
 2. View certificate info
 3. Manage certificates
 4. Manage SSL trust anchors
 5. Check configurations
 6. Reset all certificates with VMCA-signed certificates
 7. ESXi certificate operations
 8. Restart services
 9. Generate certificate report
 E. Exit

Select an option [1]: 6

Please enter a Single Sign-On administrator account [[email protected]]:
Please provide the password for [email protected]:

Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Enter any additional hostnames for SAN entries (comma separated value):

Replace Machine SSL Certificate
-----------------------------------------------------------------
Generate certool configuration                                 OK
Regenerate Machine SSL certificate                             OK
Backing up Machine SSL certificate and private key             OK
Updating MACHINE_SSL_CERT certificate                          OK

Replace Solution User Certificates
-----------------------------------------------------------------
Verifying Service Principal entries exist                      OK
Generate new certificates and keys:
   machine                                                     OK
   vsphere-webclient                                           OK
   vpxd                                                        OK
   vpxd-extension                                              OK
   hvc                                                         OK
   wcp                                                         OK

Backup certificate and private key:
   machine                                                     OK
   vsphere-webclient                                           OK
   vpxd                                                        OK
   vpxd-extension                                              OK
   hvc                                                         OK
   wcp                                                         OK

Updating certificates and keys in VECS:
   machine                                                     OK
   vsphere-webclient                                           OK
   vpxd                                                        OK
   vpxd-extension                                              OK
   hvc                                                         OK
   wcp                                                         OK

Updating solution user certificates in VMware Directory:
   machine                                                     OK
   vsphere-webclient                                           OK
   vpxd                                                        OK
   vpxd-extension                                              OK
   hvc                                                         OK
   wcp                                                         OK

Update vCenter Extension Thumbprints
-----------------------------------------------------------------
com.vmware.vcIntegrity (vpxd-extension)                   UPDATED
com.vmware.vim.eam (vpxd-extension)                       UPDATED
com.vmware.vlcm.client (vpxd-extension)                   UPDATED
com.vmware.vmcam (Authentication Proxy)                   MATCHES
com.vmware.vsan.health (Machine SSL)                      UPDATED

Replace SSO STS Signing Certificate
-----------------------------------------------------------------
Generate certool configuration                                 OK
Regenerate STS signing SSL certificate                         OK
Backup and delete tenant credentials                           OK
Backup and delete trusted cert chains                          OK
Add new STS signing certificate to VMDir                       OK

Update SSL Trust Anchors
-----------------------------------------------------------------
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updating service: ########-####-####-####-############
Updated 44 service(s)

Restart VMware services [N]: y

Restarting Services
-----------------------------------------------------------------
Stopping VMware services                                       OK
Starting VMware services                                       OK

VCF/VVF Certificate Management Utility (version 6.0.1)
-----------------------------------------------------------------
 1. Check current certificate status
 2. View certificate info
 3. Manage certificates
 4. Manage SSL trust anchors
 5. Check configurations
 6. Reset all certificates with VMCA-signed certificates
 7. ESXi certificate operations
 8. Restart services
 9. Generate certificate report
 E. Exit

Select an option [1]: E



Follow the steps below to replace a VCSA machine SSL certificate issued by a custom certificate authority :

1. Generate a Certificate Signing Request (CSR)

To ensure the certificate is correctly validated, the CSR must include the correct Subject Alternative Name (SAN) and match the vCenter Primary Network Identifier (PNID).

Option A: Using the vCenter GUI (vSphere 7.x/8.x)

1. Log in to the vSphere Client as [email protected].
2. Navigate to Home > Administration > Certificate Management.
3. Locate the Machine SSL certificate and click Generate Certificate Signing Request (CSR).
4. Validation Check: Ensure the Common Name and Host fields match the vCenter FQDN.
5. SAN Validation: In the Subject Alternative Name (SAN) field, enter the FQDN(s), short hostname, and IP address separated by commas (e.g., vcsa.domain.local,vcsa,192.168.x.x).
6. PNID Verification: Run the following command via SSH to verify the PNID matches the hostname:
   bash

    

   /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f

   Replacing vCenter Machine SSL Certificate with a Custom CA-Signed Certificate Using the vCenter GUI

Option B: Using VMware Certificate Manager (CLI)

1. Launch the tool: /usr/lib/vmware-vmca/bin/certificate-manager.
2. Select Option 1 (Replace Machine SSL certificate with custom certificate), then Option 1 again to generate CSR and keys.
3. Provide the requested values (Country, Org, etc.). The tool will generate vmca_issued_csr.csr and vmca_issued_key.key. Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate

2. Prepare the Certificate Chain

Once the CSR is signed by your custom CA, you must format the files correctly for import.

• Machine SSL Certificate (machine_name_ssl.cer): Should contain only the machine certificate.
• Trusted Root Chain (chain.cer or Root64.cer): Must include all Intermediate CAs and the Root CA in order:
  1. Intermediate CA 1 (if any)
  2. Intermediate CA 2 (if any)
  3. Root CA Replacing vCenter Machine SSL Certificate with a Custom CA-Signed Certificate Using the vCenter GUI

3. Import and Replace the Certificate

Using the vCenter GUI

1. In Certificate Management, select the Machine SSL certificate and click Import and Replace Certificate.
2. Select Replace with external CA certificate where CSR is generated from vCenter Server.
3. Upload the machine_name_ssl.cer and the chain.cer file.
4. Click Finish. The vCenter services will restart automatically. Replacing vCenter Machine SSL Certificate with a Custom CA-Signed Certificate Using the vCenter GUI

Using Certificate Manager (CLI)

1. Select Option 1 (Replace Machine SSL certificate with custom certificate), then Option 2 (Import custom certificate and key).
2. Provide paths to:
   • The signed Machine SSL certificate.
   • The private key (generated in Step 1).
   • The CA root/chain certificate.
3. Confirm with Y to proceed with the replacement and service restart. Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate

Important Notes for vCenter 8.x :

• Key Usage: Ensure the custom certificate includes the 'Certificate Key Usage' attribute; otherwise, the replacement will fail with a "not a valid CA Certificate" or "Internal Server Error".
• Snapshots: Always take an offline snapshot of the vCenter Server (and all linked nodes) before performing certificate operations. Replacing custom Machine SSL cert fails with 'not a valid CA Certificate'