If company policy requires it, you can replace all certificates used in vSphere with third-party CA-signed certificates. If you do that, VMCA is not in your certificate chain but all vCenter certificates have to be stored in VECS.

You can replace all certificates or use a hybrid solution. For example, consider replacing all certificates that are used for network traffic but leaving VMCA-signed solution user certificates. Solution user certificates are used only for authentication to vCenter Single Sign-On, in place.


If you do not want to use VMCA, you are responsible for replacing all certificates yourself, for provisioning new components with certificates, and for keeping track of certificate expiration.


If company policy does not allow an intermediate CA, VMCA cannot generate the certificates for you. You use custom certificates from an enterprise or third-party CA.


After you receive the custom certificates, you can replace each machine certificate.


After you replace the machine SSL certificates, you can replace the VMCA-signed solution user certificates with third-party or enterprise certificates.


If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services.


During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.