When using Certificate Manager, the following formerly manual tasks are now automated by the utility:

• Certificates are automatically placed in VMware Endpoint Certificate Store (VECS)
• Regeneration of VMCA root certificates
• Stopping and restarting of services

To get started, launch the vSphere 6.x Certificate Manager utility using the Command Prompt:

• Windows vCenter server: C:Program FilesVMwarevCenter servervmcadcertificate-manager
• vCenter server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager

When you launch the vSphere Certificate Manager utility, you're presented with the following eight options to choose from. The requirements, configuration, and use of those options are listed now:

1. Replace the Machine SSL certificate with a custom certificate. This option generates Certificate Signing Requests and keys for the Machine SSL certificate and requires the following information:
   • The [email protected] password or the equivalent administrator account
   • The path to a custom certificate and key for the Machine certificate are installed
   • The path to a custom certificate for the VMCA Root certificate
2. Replace the VMCA Root certificate with a Custom Signing Certificate and replace all the certificates. This option generates Certificate Signing Requests and keys for the VMCA Root Signing certificate and requires the following:
   • The [email protected] password or equivalent administrator account
   • The certool.cfg file configured (this is used by VMCA when generating certificates)
   • Root Signing certificate
   • Root
3. Replace the Machine SSL certificate with a VMCA-generated certificate. This option replaces the Machine SSL certificate with a VMCA-generated certificate and requires the following:
   • The [email protected] password or equivalent administrator account
   • The certool.cfg file configured (this is used by VMCA when generating certificates)
4. Regenerate a new default VMCA Root certificate and replace all the certificates. This option regenerates a new default VMCA Root certificate and replaces all the certificates. It requires the following:
   • The [email protected] password or equivalent administrator account.
   • The certool.cfg file configured (this is used by VMCA when generating certificates)
5. Replace the Solution User Certificates with Custom CA certificates. This option replaces the Solution User Certificates with custom CA certificates and requires the following:
   • The [email protected] password or equivalent administrator account.
   • The path to the custom Root CA certificate.
   • The path to the custom certificate and key for the vpxd Solution User.
   • The path to the custom certificate and key for the vpxd-extension Solution User.
   • The path to the custom certificate and key for the vSphere-webclient Solution User.
   • The path to the custom certificate and key for the machine Solution User.

6. Replace the Machine SSL certificate and Solution User certificates with the VMCA-generated certificate. This option replaces the Machine SSL certificate and Solution User certificates with the VMCA-generated certificate and requires the following:
   • The [email protected] password or equivalent administrator account.
7. Revert to the last performed operation by republishing old certificates. This option reverts the last performed operation by republishing old certificates. vSphere Certificate Manager only supports one level of a revert. Running vSphere Certificate Manager Utility a second time will not allow you to revert the first of the two runs.
8. Reset all the certificates. This option resets all the certificates and requires the following:
   • The [email protected] password or equivalent administrator account.
   • The certool.cfg file configured (this is used by VMCA when generating certificates)