As I work closely with VMware Support, it’s clear that issues and confusion around vSphere 6.x certificates are still very much a pain-point for customers.
I’ve spoken a bit about this topic in the past (but have been meaning to get back to it). You can see my previous posts below: (Note: even though they say 6.0 they are applicable for 6.5 too)
- Caution: Solution User Certificates in vSphere 6.0
- vSphere 6.x SSL Trust Anchors
- vSphere 6.0 Certificate Series
What I want to achieve by this post is to hopefully dispel some of the confusion. First, repeat the title of this post to yourself – “Just because you can, doesn’t mean you should.”
Just because you can replace any and all certificates in a vSphere environment, doesn’t mean necessarily should.
The only question you need to be able to answer is – “What problem am I trying to solve?”
Long story short, for the majority of use cases, replacing the Machine SSL certificate on each vCenter / PSC should be sufficient. Keep reading for more information.