When using Certificate Manager, the following formerly manual tasks are now automated by the utility:
- Certificates are automatically placed in VMware Endpoint Certificate Store (VECS)
- Regeneration of VMCA root certificates
- Stopping and restarting of services
To get started, launch the vSphere 6.x Certificate Manager utility using the Command Prompt:
- Windows vCenter server: C:Program FilesVMwarevCenter servervmcadcertificate-manager
- vCenter server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
When you launch the vSphere Certificate Manager utility, you're presented with the following eight options to choose from. The requirements, configuration, and use of those options are listed now:
- Replace the Machine SSL certificate with a custom certificate. This option generates Certificate Signing Requests and keys for the Machine SSL certificate and requires the following information:
- The [email protected] password or the equivalent administrator account
- The path to a custom certificate and key for the Machine certificate are installed
- The path to a custom certificate for the VMCA Root certificate
- Replace the VMCA Root certificate with a Custom Signing Certificate and replace all the certificates. This option generates Certificate Signing Requests and keys for the VMCA Root Signing certificate and requires the following:
- The [email protected] password or equivalent administrator account
- The certool.cfg file configured (this is used by VMCA when generating certificates)
- Root Signing certificate
- Root
- Replace the Machine SSL certificate with a VMCA-generated certificate. This option replaces the Machine SSL certificate with a VMCA-generated certificate and requires the following:
- The [email protected] password or equivalent administrator account
- The certool.cfg file configured (this is used by VMCA when generating certificates)
- Regenerate a new default VMCA Root certificate and replace all the certificates. This option regenerates a new default VMCA Root certificate and replaces all the certificates. It requires the following:
- The [email protected] password or equivalent administrator account.
- The certool.cfg file configured (this is used by VMCA when generating certificates)
- Replace the Solution User Certificates with Custom CA certificates. This option replaces the Solution User Certificates with custom CA certificates and requires the following:
- The [email protected] password or equivalent administrator account.
- The path to the custom Root CA certificate.
- The path to the custom certificate and key for the vpxd Solution User.
- The path to the custom certificate and key for the vpxd-extension Solution User.
- The path to the custom certificate and key for the vSphere-webclient Solution User.
- The path to the custom certificate and key for the machine Solution User.
- Replace the Machine SSL certificate and Solution User certificates with the VMCA-generated certificate. This option replaces the Machine SSL certificate and Solution User certificates with the VMCA-generated certificate and requires the following:
- The [email protected] password or equivalent administrator account.
- Revert to the last performed operation by republishing old certificates. This option reverts the last performed operation by republishing old certificates. vSphere Certificate Manager only supports one level of a revert. Running vSphere Certificate Manager Utility a second time will not allow you to revert the first of the two runs.
- Reset all the certificates. This option resets all the certificates and requires the following:
- The [email protected] password or equivalent administrator account.
- The certool.cfg file configured (this is used by VMCA when generating certificates)