When you want to use third-party certificates in your environment, you must make sure that they meet requirements. Certificates that VMCA provisions already meet these requirements.

Key size: 2048 bits or more (PEM encoded)

PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8

x509 version 3

For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.

SubjectAltName must contain DNS Name=<machine_FQDN>

CRT format

Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Note

The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4 , and sha1WithRSAEncryption 1.2.840.113549.1.1.5 are not recommended. The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 is not supported.