Starting with vSphere 6.0, the new PSC component includes not only the SSO part, but also a certification authority, VMware Certificate Authority (VMCA), for certification management of all vSphere infrastructure elements (unfortunately, it is not yet being used by all the other VMware products). This simplifies not only the certification management (with auto-enrollment for expired certificates) but also the trust between the different connections.

In this environment, the vSphere certificates are generated and issued by the VMCA and stored by the vSphere Endpoint Certificate Store (VECS). But to avoid browser warnings, you need to trust on the VMware's CA by adding at your certification chain. First of all, you need to gain the CA root certificate. You can simply download it from the vCenter home page, under Download trusted root CA certificates:

You will download a simple download.zip file that contains both the CA certificate and the revocation list.

In order to import the certificate, you can use different approaches for a Windows system:

• Import manually: For Internet Explorer, Edge, and Chrome, you can simply double-click on the certificate and import it into the trusted CA. Firefox has a different certificates repository.
• Import by using GPO: Under Computer Configuration | Windows Setting | Security Settings | Public Key Policies | Trusted Publishers, you can import existing certificates. Be sure to import it into the Trusted Root Certification Authorities store.
• Add as an intermediate CA in your existing CA authority.

Otherwise, you can replace the CA certificate of VMCA, or just don't use it at all and manage all the certificates as in the past. For more information, see VMware KB 2097936—How to use vSphere 6.x Certificate Manager described in (https://kb.vmware.com/kb/2097936).