You can replace the VMCA root certificate with a CA-signed certificate that includes VMCA as an intermediate certificate in the certificate chain. Going forward, all certificates that VMCA generates include the full chain.

You run vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller to replace the VMCA root certificate with a custom signing certificate.

vSphere Certificate Manager prompts you for the following information:

Generate the CSR.

You can use vSphere Certificate Manager to create the CSR. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)

If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements:

Key size: 2048 bits or more

PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8

x509 version 3

For root certificates CA extension must be set to true, and cert sign must be in the list of requirements.

Make sure that all nodes in your environment are time synchronized.

No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is ten certificates.

VMCA does not support using certificates with wildcards or more than one DNS name.

You cannot create subsidiary CAs of VMCA.

After you receive the certificate from your third-party or enterprise CA, combine it with the initial VMCA root certificate to generate a full chain with the VMCA root certificate at the bottom. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA).

Gather the information you will need.

Password for administrator@vsphere.local.

Valid custom certificate for Root (.crt file).

Valid custom key for Root (.key file).

1

Start vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller and select option 2.

2

Select option 2 to start certificate replacement and respond to the prompts.

a

Specify the full path to the root certificate when prompted.

b

If you are replacing certificates for the first time, you are prompted for information to be used for the machine SSL certificate.

This information includes the required FQDN of the machine and is stored in the certool.cfg file.

3

If you replace the root certificate in a multi-node deployment, you must restart services on all vCenter Server.

4

In multi-node deployments, regenerate all certificates on each vCenter Server instances by using options 3 (Replace Machine SSL certificate with VMCA Certificate) and 6 ( Replace Solution user certificates with VMCA certificates).

When you replace the certificates, VMCA signs with the full chain.

Depending on your environment, you might have to replace additional certificates explicitly.

If company policy requires that you replace all certificates, replace the vmdir root certificate. See Replace the VMware Directory Service Certificate

If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode Environments