VMware vCenter – VMCA as Subordinate for Certificated

In this blog I will explain how you can use your vCenter VMCA as Subordinate to deliver certificates for your vCenter and the ESXi hosts.
In an Enterprise enviroment you need to use certificates that are full trusted by your own Certificate Authority. There are two options:
1). Full Custom Mode – Replace all certificates for trusted certificates
2). Subordinate CA Mode – Use the VMCA as subordinate CA to issue the certificates for the vCenter and ESXi.

In VMware we can choose two other options a Full managed or hybride mode for the certificates. Check this blog for the options.
In this blog we are going to use the option of a subordinate CA mode. The Certificate Authority we use is based on Windows CA. The Certificate Authority is install on Windows Server 2019, configured as Entperise CA.


To transfer the files from the VCSA we need to enable SCP. This by default disabled.
Login with SSH to the VMware 7 vCenter appliance and run the next commands:

Create Certificate Signing Request (CSR)

Login with SSH to the VMware 7 vCenter appliance and run the next commands:

We will choose for option 2, that we replace all certificates by custom ones.

The next 2 options are necessary.
– The hostname
– The VMCA Name this is the FQDN of the vCenter server.
Choose for “1” to create the CSR.

The files are create at the next locations:
1). /tmp/vmca_issued_csr.csr
2). /tmp/vmca_issued_csr.key

Now we have the CSR file what we need to create the certificates to remove the certificated warning.

When we have the right certificates files we can go importing the certificate in the vCenter server, with the option 1.

Select the path.
The question “replace Root Certificate with custom certificate and regenerate all other certificates” enter “Y”.

It will now start to regenerate all certificates.
When done “Status : 100% Completed [All tasks completed successfully]” will be showed.

You Might Also Like