In a default vCenter Server deployment, VMCA is the root certificate authority (CA). However, VMCA can be configured a subordinate CA where an outside authority is the root and VMCA uses an intermediate certificate.

• Preparing for upgrade to vSphere 8, the pre-check reported SHA1 in certificate chain.

If VMCA is configured as a subordinate CA and the root certificate uses a weak digital signature, then the root certificate will need to be replaced and all certificates reissued.

• vSphere 8 does not support SHA1 certificate algorithm. Any certs on the VCSA using SHA1 need to be removed before upgrade.

Before proceeding, take snapshot and/or backup of the vCenter VM. If the VCSA is linked (ELM), take offline snapshots of all linked nodes. 

1. Reset the VMCA certificate using one of the following methods:
   • vCert scripted CLI tool
   • Reset the VMCA certificate using certificate-manager CLI
     • A new intermediate certificate may be configured with VMCA as a subordinate CA.
     • A default VMCA root certificate may be configured.
     • All vCenter Server certificates will be regenerated.
2. Reissue all ESXi TLS certificates with the new VMCA certificate if they were signed with the previous VMCA certificate.
   • Issue a VMCA signed TLS certificate for ESXi using the vSphere UI

3. Remove the old and now unused CA root certificate and intermediate certificates from the TRUSTED_ROOTS store of VECS.
   • vCert scripted CLI tool
   • Remove certificates using dir-cli

4. Push the CA certificate changes to the ESXi hosts using "Refresh CA Certificates" in the vSphere UI.
   • Refresh ESXi CA certificates via vSphere UI