When you want to use third-party certificates in your environment, you must make sure that they meet requirements. Certificates that VMCA provisions already meet these requirements.

Key size: 2048 bits or more (PEM encoded)

PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8

x509 version 3

For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.

SubjectAltName must contain DNS Name=<machine_FQDN>

CRT format

Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

Start time of one day before the current time

CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.


The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4 , and sha1WithRSAEncryption 1.2.840.113549.1.1.5 are not recommended. The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 is not supported.