One thing that I've yet to achieve, but am working on, is a plan for upgrading an existing vSphere 5.1 environment using custom certificates to a 6.0 environment with trusted root-signed VMCA SUB CA certs. It seems that VMware have forgotten about us.
After you've upgraded, all certs are the same as they were in 5.1. However, as there are some new service endpoints, these now use VMCA certificates.
Using VMCA to then import a SUB CA signing cert and deploy all new certs, you can replace some, but not all certs.. This leaves a confusing mess of manual and automatic certificates all over the place. It also leaves some solutions such as VUM broken. I have also compared the VECS cert for the vpxd-extension (which is controlled by VMCA and supposed to be used for the inventory service) and this appears to be different to whats used for the inventory service endpoint url :7444/lookupservice/sdk. The VECS cert say it should be using the new VMCA cert (and my understanding is that it should be using the cert of the new rhttpd proxy, controlled by VMCA) but the browser says its still using the old 5.1 cert.
Also there are still all the SSO certs which remain at the same state as before the upgrade. I have always understood them not to be replaced by VMCA, because the docs say they're not, but the documentation does not explain how to replace the 6.0 SSO certs, such as the Group Check, STS and SSO Admin endpoint certs - it just says to replace the certificate chain in the web-admin GUI - this doesn't replace the endpoint certs!
Its almost as if the solution we are running in 5.1 with 100% custom certs is not supported in 6.0. Instead they only want you to replace the 'customer facing' certs and leave the endpoint certs alone - that would be workable only if you're performing a clean installation and not upgrading from a custom certificate environment.
Ideally, we need a process, or utility, to list all possible certificates in use (ALL SSO, endpoint, ESXi, vcenter, webclient, VUM and other solutions) as well as their signing CA and expiry. A full list of service endpoints which use certs, and which are new/replaced in 6.0, would also be nice. Without these, certificates are still a big fat headache if upgrading.