The vSphere Certificate Manager utility allows you to perform most certificate management tasks interactively from the command line. vSphere Certificate Manager prompts you for the task to perform, for certificate locations and other information as needed, and then stops and starts services and replaces certificates for you.

If you use vSphere Certificate Manager, you are not responsible for placing the certificates in VECS (VMware Endpoint Certificate Store) and you are not responsible for starting and stopping services.

Before you run vSphere Certificate Manager, be sure you understand the replacement process and procure the certificates that you want to use.


vSphere Certificate Manager supports one level of revert. If you run vSphere Certificate Manager twice and notice that you unintentionally corrupted your environment, the tool cannot revert the first of the two runs.

You can run the tool on the command line as follows:


C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat




When you perform a certificate management operation by using vSphere Certificate Manager, the current certificate state is stored in the BACKUP_STORE store in VECS before certificates are replaced. You can revert the last performed operation and return to the previous state.


Use the Reset All Certificates option if you want to replace all existing vCenter certificates with certificates that are signed by VMCA.


You can regenerate the VMCA root certificate, and replace the local machine SSL certificate, and the local solution user certificates with VMCA-signed certificates. In multi-node deployments, run vSphere Certificate Manager with this option on the Platform Services Controller and then run the utility again on all other nodes and select Replace Machine SSL certificate with VMCA Certificate and Replace Solution user certificates with VMCA certificates.


You can make VMCA an Intermediate CA by following the prompts from Certificate Manager utility. After you complete the process, VMCA signs all new certificates with the full chain. If you want, you can use Certificate Manager to replace all existing certificates with new VMCA-signed certificates.


You can use the vSphere Certificate Manager utility to replace all certificates with custom certificates. Before you start the process, you must send CSRs to your CA. You can use Certificate Manager to generate the CSRs.