The first step in replacing the VMCA certificates with custom certificates is generating a CSR and adding the certificate that is returned to VMCA as a root certificate.

The certificate that you send to be signed must meet the following requirements:

Key size: 2048 bits or more

PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8

x509 version 3

If you are using custom certificates, the CA extension must be set to true for root certificates, and cert sign must be in the list of requirements.

CRL signing must be enabled.

Make sure that all nodes in your environment are time synchronized.

No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is ten certificates.

VMCA does not support certificates with wildcards or with more than one DNS name.

You cannot create subsidiary CAs of VMCA.

VMCA validates the following certificate attributes when you replace the root certificate:

Key size 2048 bits or more

Key Usage: Cert Sign

Basic Constraint: Subject Type CA


Generate a CSR and send it to your CA.

Follow your CA's instructions.


Prepare a certificate file that includes the signed VMCA certificate along with the full CA chain of your third party CA or enterprise CA, and save the file, for example, as rootca1.crt.

You can accomplish this by copying all CA certificates in PEM format into a single file. You have to start with the VMCA certificate root and end with the root CA PEM certificate. For example:

<Certificate of VMCA>
<Certificate of intermediary CA>
<Certificate of Root CA>

Stop all services and start the services that handle certificate creation, propagation, and storage.

The service names differ on Windows and the vCenter Server Appliance.


service-control --stop --all
service-control --start VMWareAfdService
service-control --start VMWareDirectoryService
service-control --start VMWareCertificateService

vCenter Server Appliance

service-control --stop --all
service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad

Replace the existing VMCA root CA.

certool --rootca --cert=rootca1.crt --privkey=root1.key

When you run this command, it:

Adds the new custom root certificate to the certificate location in the file system.

Appends the custom root certificate to the TRUSTED_ROOTS store in VECS (after a delay).

Adds the custom root certificate to vmdir (after a delay).


(Optional) To propagate the change to all instances of vmdir (VMware Directory Service), publish the new root certificate to vmdir, supplying the full file path for each file.

For example:

dir-cli trustedcert publish --cert rootca1.crt

Replication between vmdir nodes happens every 30 seconds. You do not have to add the root certificate to VECS explicitly because VECS polls vmdir for new root certificate files every 5 minutes.


(Optional) If necessary, you can force a refresh of VECS.

vecs-cli force-refresh

Restart all services.

service-control --start --all

Replace the VMCA root certificate with the custom CA root certificate using the certool command with the --rootca option.

C:\>"C:\Program Files\VMware\vCenter Server\vmcad\certool" --rootca --cert=C:\custom-certs\root.pem -–privkey=C:\custom-certs\root.key

When you run this command, it:

Adds the new custom root certificate to the certificate location in the file system.

Appends the custom root certificate to the TRUSTED_ROOTS store in VECS.

Adds the custom root certificate to vmdir.

You can remove the original VMCA root certificate from the certificate store if company policy requires it. If you do, you have to refresh these internal certificates:

Replace the vCenter Single Sign-On Signing certificate. See Refresh the Security Token Service Certificate.

Replace the VMware Directory Service certificate. See Replace the VMware Directory Service Certificate.