This article explains when and how to use vSphere Certificate Manager.
The vSphere Certificate Manager can be used to:
Please note that in vSphere 7.x, perform steps 1 and 2 through the vCenter user interface.
VMware vCenter Server
Note: In vSphere vCenter 7.x/8.x, in the user interface, update the Machine SSL certificate or generate a certificate signing request by going to
In the Machine SSL Certificate section, select the Actions pull-down menu.
Note: In Windows-based vCenter, login as an administrator or "Run as Administrator
" for command prompt (cmd
) if user access control is enabled.
Take a snapshot of the vCenter before performing this activity. If the vCenter is in linked mode, take offline snapshots of all the linked vCenter together.
/usr/lib/vmware-vmca/bin/certificate-manager
C:\
Program Files\VMware\vCenter Server
\vmcad> Certificate-manager.bat
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli get-pnid --server-name localhost
vsphere.local
. It can be obtained with this command for Windows or VCSA respectively.
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
"C:\Program Files\VMware\vCenter Server\vmafdd"\vmafd-cli
get-domain-name
--server-name localhost
Option # | Detail | Required Information |
1 | Replace the Machine SSL certificate with a Custom CA Certificate Machine SSL Certificate provides a sub-option to generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate. |
|
2 | Replace the VMCA Root certificate with a Custom CA Signing Certificate and Replace all Certificates. This option provides a sub-option to generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate. |
Is replacing all Solution User certificates with custom CA is needed?
Note: Optionally perform this step later using Option 5.
Note: Optionally perform this step later using Option 6. Is replacing the Machine SSL Certificate with custom CA needed?
Note: Optionally perform this step later using Option 1.
Note: Optionally perform this step later using Option 3. |
3 | Replace the Machine SSL certificate with a VMCA Generated Certificate |
|
4 | Regenerate a new default VMCA Root Certificate and Replace all Certificates |
|
5 | Replace the Solution User Certificates with Custom CA Certificates |
|
6 | Replace the Solution User Certificates with VMCA generated Certificates |
|
7 | Revert last performed operation by re-publishing old certificates |
|
8 | Reset all certificates |
|
Note 2: The certool.cfg
is located at:
/usr/lib/vmware-vmca/share/config/certool.cfg
/usr/lib/vmware-vmca/share/config/certool.cfg
/usr/lib/vmware-vmca/share/config/certool.cfg
certool.cfg
should look like the following Screenshot: certificate-manager.log
file in these locations:/var/log/vmware/vmcad/certificate-manager.log
certool.cfg
file is located at:/usr/lib/vmware-vmca/share/config/certool.cfg
/usr/lib/vmware-vmca/share/config/certool.cfg
Changing vCenter Server certificates may impact connected products ie: SRM, vSphere Replication, Horizon View, etc.