By default vSphere 6.5 uses TLS/SSL certificates that are signed by VMCA (VMware Certificate Authority). By default, these certificates are not trusted by end-user devices or browsers. It is a security best practice to replace at least user-facing certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA). Certificates for machine-to-machine communication can remain as VMCA-signed certificates.

vCenter Server TLS Certificate Design Decision

Decision ID

Design Decision

Design Justification

Design Implication


Replace the vCenter Server machine certificate and Platform Services Controller machine certificate with a certificate signed by a 3rd party Public Key Infrastructure.

Infrastructure administrators connect to both vCenter Server and the Platform Services Controller by way of s Web browser to perform configuration, management and troubleshooting activities. Certificate warnings result with the default certificate.

Replacing and managing certificates is an operational overhead.


Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.