Steps to replace MACHINE_SSL_CERT on vCenter server using default VMCA root certificate on vCenter Server UI
search cancel

Steps to replace MACHINE_SSL_CERT on vCenter server using default VMCA root certificate on vCenter Server UI

book

Article ID: 382069

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Users may need to replace the MACHINE_SSL_CERT on their vCenter Server using the default VMCA root certificate. This specific certificate replacement process can be performed through the vSphere Client interface when you need to regenerate the machine SSL certificate while continuing to use the built-in VMware Certificate Authority (VMCA).

Environment

  • VMware vSphere 7.0 and newer
  • vSphere Client
  • Valid vCenter Single Sign-On administrator credentials
  • Access to [email protected] account (or equivalent domain administrator account)

Cause

The MACHINE_SSL_CERT may need replacement for several reasons:

  • The current certificate is approaching expiration
  • Security policies require periodic certificate regeneration
  • The certificate has become compromised
  • Maintaining security compliance with organizational standards

Using the default VMCA root certificate for replacement is the simplest approach when external certificate authorities aren't required.

Resolution

Follow these steps to renew VMCA-signed certificates:

  1. Access the vSphere Client
    1. Launch the vSphere Client
    2. Log in using [email protected] credentials (or administrator@mydomain if a different domain was configured during installation)

  2. Navigate to Certificate Management
    1. Click the Home menu
    2. Select Administration
    3. Under Certificates, click Certificate Management

  3. Authenticate (if prompted)
    • Enter your vCenter Server credentials

  4. Renew the Machine SSL Certificate
    1. Select the Machine SSL tab
    2. Choose the certificate you want to replace
    3. Click Renew (this process replaces the existing certificate with a new one using the default VMCA root certificate)
    4. Enter the desired certificate duration (in days)
    5. Check the backup acknowledgment box
    6. Click Renew
    7. Once successful, click Refresh to update your browser

Additional Information

  • Always back up vCenter Server and its databases before performing certificate operations
    • A powered-off snapshot also creates a reliable roll-back point

  • Certificate renewal maintains existing trust relationships while providing fresh validity periods

  • The process can be performed on individual certificates or multiple certificates simultaneously

  • Related Articles:
Powered by Wolken Software