Manually replacing a vSphere 6.x/7.x Machine SSL with a Custom signed Certificate via CLI
search cancel

Manually replacing a vSphere 6.x/7.x Machine SSL with a Custom signed Certificate via CLI


Article ID: 344924


Updated On:


VMware vCenter Server


Provides steps to generate CSR and manually replace Custom Certificates in vSphere.

Note: Applies to VCSA 6.x / 7.x only.

  • Certificate Manager fails to generate Certificate Signing Request (CSR).
  • Certificate Manager fails to replace Certificate.


VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.7.x


  1. Create a folder named  certs in root.
mkdir /certs
  1. Copy the config file:
cp /usr/lib/vmware-vmca/share/config/certool.cfg /certs/Machine_ssl_cert.cfg
  1. Create private and public key:
/usr/lib/vmware-vmca/bin/certool --genkey --privkey=machine_ssl_cert.priv --pubkey=machine_ssl_cert.pubkey
  1. Proceed to create the Certificate Signing Request(CSR):
/usr/lib/vmware-vmca/bin/certool --initcsr --privkey=machine_ssl_cert.priv --pubkey=machine_ssl_cert.pubkey --csrfile=machine.csr --config=Machine_ssl_cert.cfg
  1. Sign the CSR and then create a chain and name it machine.crt,  refer to Obtaining vSphere certificates from a Microsoft Certificate Authority.
 Note: Similar process applies to 3rd Party Custom Certificates where the Customer provides the CSR to the Certificate Vendor for generating the Signed Certificate.
  1. Backup and replace the local copy of the cert:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > oldmachine.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > oldmachinekey.key
  1. Delete the existing cert:
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
  1. Adding the new certificate:
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert machine.crt --key machine_ssl_cert.priv
  1. Update the lookup service registration endpoints Using the 'lsdoctor' Tool (80469) trustfix option.
    • vCenter 7.x - Manually
      • /usr/lib/vmware-lookupsvc/tools/ --url https://<vCenterServer_FQDN>/lookupservice/sdk --certfile <cert-file-path> --user '[email protected]' --password '<password>' --fingerprint <SHA1_hash_of_the_old_certificate_to_replace>
Note: On vCenter 8.0 U2, will fail with an attribute error. Please refer to KB 95982 for steps to work around this.
  1. Restart the services.
  2. Verify web client shows up the New certificate and all VCSA Inventory.

Additional Information

For more information refer to Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate.

  • Always take a snapshot of the VCSA prior to proceeding with this method.
  • If using Enhanced linked mode ensure that all Platform Services Controllers in the federated environment are shut down and take a snapshot of all of them while they are powered off. They should be powered down to ensure that no replication takes place partially during the snapshot operation. Power On all the PSCs when the snapshot operation is complete. Also, take snapshots of the vCenter Systems while powered off. 
  • Snapshot revert (If required to recover from damage) should happen on all the nodes to the same powered off snapshot state to ensure replication data consistency.