Select a Host and go to Configure > Certificate. There you have the option to first refresh and then renew the certificate. Now that your vCenter is an issuing certificate authority with our custom certificates it would issue certificate with the template we configured 2 steps back.
Another option, and certainly the preferred one if you have several hosts is to do this with PowerCLI:
Next is running vCenter Certificate Manager to replace the certificates. Log into vCenter Appliance using ssh and run the following command and select option 2 to replace VMCA root certificate with custom signing certificate and replace all certificates.
/usr/lib/vmware-vmca/bin/certificate-manager
Select Yes to generate all certificates using configuration file. Supply credentials and input values:
Use option 2 to import custom certificate(s) and key(s). Provide the file location of the two files:
Continue the operation using the option Y and wait for completion:
The next part is copying and pasting in a text editor. We want to create a text file consisting of all the relevant certificate authorities certificates, chained together.
Important: The order of the certificates in the file. First comes the issuing, then the intermediate and last the root certificate authority.
If you need to create a full chain file for an appliance where the certificate was issued by the issuing certificate authority, that certificate would come before the issuing authority.
The result would look something like the example below:
The next part in this series is setting up the intermediate CA.
In the pfSense administration console head to System > Certificate Manager and under CAs click “+ Add”.
Again very straightforward, select the appropriate key type and algorithm. Fill in the values and be sure to select the correct method and signing certificate authority.