Retrieving Private Key For A Certificate Signing Request Generated In The vSphere Client
Article ID: 338854
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Follow this process to retrieve the private key for a certificate signing request generated in the vSphere Client.
Symptoms:
Missing Private Key when following the process to import the Custom Certificate,
Home menu, select Administration.
Under Certificates, click Certificate Management.
Under Machine SSL Certificate, for the certificate that you want to replace, click Actions > Import and Replace Certificate.
- Replace with external CA certificate (requires a private key)
(Use a certificate signed by an external CA to replace the current certificate.)
Environment
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
Cause
When the Certificate Signing Request is generated in the vSphere Client, there is no option to download the private key.
Resolution
Retrieve the private key by using the following process:
- Open an ssh session to vCenter Server Appliance and login with the root account
- If necessary, switch to BASH by running:
shell.set --enabled true shell - Run the following command to output the private key hash:
# /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR - Copy the Private Key Hash to a notepad file and save it as private.key. For example:
-----BEGIN PRIVATE KEY----- MIIEvQI... 70mX1c= -----END PRIVATE KEY----- - Open vSphere Client, and from the Home menu, select "Administration" > "Certificates" > "Certificate Management"
- Under Machine SSL Certificate, for the certificate that you want to replace, click Actions > Import and Replace Certificate
- Follow the steps to replace the machine SSL certificate against the CA signed certificate
- When asked for the private key, provide they Key exported in Step 3 and 4
Feedback
Yes
No
Powered by
