Starting with vSphere 6.0, the new PSC component includes not only the SSO part but also a certification authority, VMware Certificate Authority (VMCA), for certification management of all vSphere infrastructure components. This simplifies not only the certification management (with auto-enrollment for expired certificates) but also the trust between the different connections.

In this environment, the vSphere certificates are generated and issued by the VMCA and stored by the VMware Endpoint Certificate Store (VECS). However, to avoid browser warnings, you need to trust the VMware's CA by adding it in your certification chain. First of all, you need to get the CA root certificate. You can directly download it from the vCenter home page, under Download trusted root CA certificates:

You will download a simple download .zip file that contains both the CA certificate and the revocation list.

To import the certificate, you can use different approaches for a Windows system:

• Import manually: For Internet Explorer, Edge, and Chrome, you can double-click on the certificate and import it into the trusted CA. Firefox has a different certificates repository.
• Import by using GPO: Under Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Trusted Publishers, you can import existing certificates. Be sure to import it into the Trusted Root Certification Authorities store.
• Add as an intermediate CA: In your existing CA authority.

Otherwise, you can replace the CA certificate of VMCA, or don't use it at all and manage all the certificates as in the past. For more information, see VMware KB 2097936: How to use vSphere 6.x Certificate Manager at https://kb.vmware.com/kb/2097936.

If you have an existing PKI within your infrastructure, you can easily replace the VMCA root certificate (self-signed) by a new (signed) certificate from your enterprise authority. In this scenario, the VMCA certificate is an intermediate certificate. VMCA provisions vCenter Server components and ESXi hosts with certificates that include the full certificate chain.

VMCA can only be managed using the CLI. There is no UI available yet. If you need to access VMCA configuration utility, simply log in to the vCSA (or dedicated PSC) and issue the following command:

 /usr/lib/vmware-vmca/bin/certificate-manager

The certificate manager will be displayed as follows:

Please be sure that you have enabled SSH access to the vCSA. You can check the configuration through the VAMI interface of the vCSA under the Access menu option.