If your company policy requires it, you can use the CLI to replace some or all certificates used in vSphere with certificates that are signed by a third-party or enterprise CA. If you do that, VMCA is not in your certificate chain. You are responsible for storing all vCenter certificates in VECS.
Even if you decide to use custom certificates, you can still use the VMware Certificate Manager utility for certificate replacement. See Replace All Certificates with a Custom Certificate Using the Certificate Manager.
If you encounter problems with vSphere Auto Deploy after replacing certificates, see the VMware knowledge base article at https://kb.vmware.com/s/article/2000988.
Request Certificates and Import a Custom Root Certificate Using the CLI
You can use custom certificates from an enterprise or third-party CA. The first step is requesting the certificates from the certificate authority then using the CLI to import the root certificates into VMware Endpoint Certificate Store (VECS).
Prerequisites
The certificate must meet the following requirements:
- Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
- x509 version 3
- For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
- SubjectAltName must contain DNS Name=<machine_FQDN>.
- CRT format
- Contains the following Key Usages: Digital Signature, Key Encipherment
- Start time of one day before the current time.
- CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.
Procedure
What to do next
You can remove the original VMCA root certificate from the certificate store if your company policy requires it. If you do, you have to refresh the vCenter Single Sign-On certificate. See Replace a vCenter Server STS Certificate Using the Command Line.
Replace Machine SSL Certificates with Custom Certificates Using the CLI
After you receive the custom certificates, you can use the CLI to replace each machine certificate.
- Password for administrator@vsphere.local
- Valid Machine SSL custom certificate (.crt file)
- Valid Machine SSL custom key (.key file)
- Valid custom certificate for Root (.crt file)
Prerequisites
You must have received a certificate for each machine from your third-party or enterprise CA.
- Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
- Contains the following Key Usages: Digital Signature, Key Encipherment
Perform the steps on each vCenter Server host.