Create/Manage vCenter Server Security Certificates

Network communications between vSphere components are usually encrypted using TLS/SSL protocols. At a minimum, all management traffic is secured by default.

However, in vSphere 5.5 and earlier, the TLS/SSL communications were only authenticated with a username, password, and basic certification verification (thumbprint). Starting with vSphere 6.0, vCenter uses certificates for authentication, to increase the security of communications.

VMware vSphere 6.x supports the following certificate modes:

• VMware Certificate Authority (default): The PSC acts as a top-level CA (or as an intermediate CA) and provisions certificates to ESXi hosts and other endpoints that require them.
• Custom Certificate Authority: In this case, custom certificates signed by third-party or enterprise CAs are used. Unless you change the certificate mode to Custom Certificate Authority, the PSC might replace custom certificates.
• Thumbprint Mode: Certificates are checked for the correct format, but without verifying the validity of the certificate. This mode was used until vSphere 5.5, but it is still available as a compatible option in vSphere 6.x. 

For more information about the VMware Certification Authority, see Objective 1.3.