Certificate replacement in deployments that include multiple management nodes and one or more Platform Services Controller node is similar to replacement in embedded deployments. In both cases, you can use the vSphere Certificate Management utility or replace certificates manually. Some best practices guide the replacement process.

In environments with less than eight vCenter Server systems, VMware typically recommends a single Platform Services Controller instance and associated vCenter Single Sign-On service. In larger environments, consider using multiple Platform Services Controller instances, protected by a network load balancer. The white paper vCenter Server 6.0 Deployment Guide on the VMware website discusses this setup.

If your environment includes multiple management nodes and a single Platform Services Controller, you can replace certificates with the vSphere Certificate Manager utility, or manually with vSphere CLI commands.

vSphere Certificate Manager

You run vSphere Certificate Manager on each machine. On management nodes, you are prompted for the IP address of the Platform Services Controller. Depending on the task you perform, you are also prompted for certificate information.

Manual Certificate Replacement

For manual certificate replacement, you run the certificate replacement commands on each machine. On management nodes, you must specify the Platform Services Controller with the --server parameter. See the following topics for details:

If your environment includes multiple management nodes and a single Platform Services Controller, follow these steps for certificate replacement.

Note

When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find the local machine ID for each host. Each solution user name includes the machine ID.

vSphere Certificate Manager

You run vSphere Certificate Manager on each machine. On management nodes, you are prompted for the IP address of the Platform Services Controller. Depending on the task you perform, you are also prompted for certificate information.

Manual Certificate Replacement

1

Generate or request a certificate. You need the following certificates:

A certificate for the machine solution user on the Platform Services Controller.

A certificate for the machine solution user on each management node.

A certificate for each of the following solution users on each management node:

vpxd solution user

vpxd-extension solution user

vsphere-webclient solution user

2

Replace the certificates on each node. The precise process depends on the type of certificate replacement that you are performing. See Managing Certificates with the vSphere Certificate Manager Utility

If company policy requires that you replace all certificates, you also have to replace the VMware Directory Service (vmdir) certificate on the Platform Services Controller. See Replace the VMware Directory Service Certificate.

Some solutions, such as VMware vCenter Site Recovery Manager or VMware vSphere Replication are always installed on a different machine than the vCenter Server system or Platform Services Controller. If you replace the default machine SSL certificate on the vCenter Server system or the Platform Services Controller, a connection error results if the solution attempts to connect to the vCenter Server system.

You can run the ls_update_certs script to resolve the issue. See VMware Knowledge Base article 2109074 for details.