This article provide steps on how to generate a CSR and Key through vCenter Server command line for Custom Machine Certificate
Below steps are an alternate method to generating a CSR and Key for Custom Machine Certificate :
** Take a valid file-based backup or snapshot of the vCenter Server (offline snapshots if in Enhanced Linked Mode environment) prior to making any changes.
Steps to Generate new CSR and Key manually through vCenter command line:
1. Log into vCenter Server through SSH session as root and run shell
2. Create a new file
Run following command to create the new file: vi /tmp/newcert.cfg
3. Copy and paste the below into this newcert.cfg file and customize the subjectAltName and everything in the 3rd section highlighted in Bold
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:vCenter-FQDN IP:vCenter-IP
[ req_distinguished_name ]
countryName = IE
stateOrProvinceName = Cork
localityName = Cork
0.organizationName = VMware
organizationalUnitName = vTSU
commonName = vCenter-FQDN
4. Save the file: Press "Esc" then type ":wq!" and press "enter"
5. Now we can generate CSR request and key by running below command:
openssl req -new -nodes -out /root/newcert.csr -newkey rsa:2048 -keyout /root/newcert.key -config /tmp/newcert.cfg
Note: RSA key size (2048) can be changed from 2048 bits (minimum) to 16384 bits (maximum).
Please see following article for more information on this: Certificate Requirements for Different Solution Paths
6. Key and CSR should now be present in /root/ directory
7. You can now extract these two files using something like WinSCP, provide the CSR to your CA to receive your Custom Certificate
Please find following KB on further steps in updating custom machine certificate: Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate