VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over Secure Socket Layer (SSL) protocol connections between components.

For example, communications between a vCenter Server system and each ESXi host that it manages are encrypted, and some features, such as vSphere Fault Tolerance, require the certificate verification provided by SSL. The client verifies the authenticity of the certificate presented during the SSL handshake phase, before encryption, which protects against "man-in-the-middle" attacks.

When you replace default vCenter Server certificates, the certificates you obtain for your servers must be signed and conform to the Privacy Enhanced Mail (PEM) key format. PEM is a key format that stores data in a Base-64 encoded Distinguished Encoding Rules (DER) format.

The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4096 bits. The recommended length is 2048 bits.

Certificates signed by a commercial certificate authority, such as Entrust or Verisign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.

You must pre-trust all certificates that are signed by your own local root CA, unless you pre-trust the parent certificate, the root CA’s own certificate. You must also pre-trust any valid default certificates that you will continue to use on vCenter Server.