Replacing vCenter Machine SSL Certificate with a Custom CA-Signed Certificate Using the vCenter GUI
search cancel

Replacing vCenter Machine SSL Certificate with a Custom CA-Signed Certificate Using the vCenter GUI

book

Article ID: 403973

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article explains how to replace a vCenter Machine SSL certificate with a Custom Certificate Authority (CA) signed certificate using vCenter Client.

Note:

Environment

vCenter 7.x
vCenter 8.x

Resolution

Prerequisites:

  • Take a snapshot of the vCenter before performing this activity. If the vCenter is in linked mode, take offline snapshots of all the linked vCenter together.

 

1. Generate the Certificate Signing Request (CSR)

Note: If you're using Microsoft Certificate Authority and it hasn't been configured with a template, refer to the article: Creating a Microsoft Certificate Authority Template for SSL Certificate Creation in vSphere 6.x/7.x (315271)

  • Log in to the vSphere Web Client as [email protected] or a user in the CAAdmins vCenter Single Sign-On group.

  • Navigate to Home > Administration > Certificate Management.

  • Under the Machine SSL tab, select the radio button next to the vCenter Server certificate.

  • Click Generate Certificate Signing Request (CSR).

Note: Refer to the below information to enter values for CSR generation.

Field

Description

Common Name

Fully Qualified Domain Name (FQDN) of the vCenter Server

Organization

Your company name

Organizational Unit

Department name, e.g., IT

Country

Two-letter country code (e.g., US)

State/Province

The state or province where the organization is located

Locality

The city where the organization is located

Email

Contact email address

Host

Fully Qualified Domain Name (FQDN) of the vCenter Server

Subject Alternative Name (SAN)

FQDN(s), short hostname, and IP address—comma-separated (e.g., vcsa.domain.local,vcsa,192.168.1.10)

Important: Ensure that the Primary Network Identifier (PNID) matches the hostname. To verify, run the following command on the vCenter Server:

  • /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f

 

2. Submit CSR to Certificate Authority

Submit the generated vmca_issued_csr.csr to your third party CA to obtain the Machine SSL certificate.

 

3. Prepare Certificate Files

 Note: If one or more intermediate certificate authorities, the "chain.cer" should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should include the machine cert only.

Format the certificates into the correct structure:

  • Machine SSL Certificate File (machine_name_ssl.cer):

-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>    <----- Signed Machine Certificate
-----END CERTIFICATE-----

  • Chain File (chain.cer):

-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>    <----- Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>    <----- Root Certificate
-----END CERTIFICATE-----

 

Note: In some cases, an "Issuer Certificate" may also be provided. This is treated as an intermediate certificate and should be included in the chain in the exact order received from the CA.


-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>    <----- Issuer Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>    <----- Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters>    <----- Root Certificate
-----END CERTIFICATE-----

 

4. Import the Certificate into vCenter

  • Return to Certificate Management in the vSphere Web Client.

  • Under the Machine SSL tab, select the vCenter Server certificate radio button.

  • Click Import and Replace Certificate.

  • Choose Replace with external CA certificate where CSR is generated from vCenter Server (private key embedded).

    • However, if you choose "Replace with external CA certificate (requires private key)", you must manually extract the private key. This can be done by following the steps outlined in the Broadcom Knowledge Base article: KB 338854.

  • Browse and upload the machine_name_ssl.cer under Machine SSL Certificate.

  • Browse and upload the chain.cer under Chain of trusted root certificates.

Note: Ensure there are no trailing spaces at the end of the certificate content.

  • Acknowledge the backup warning by checking the checkbox.

  • Click Next, review the certificate details, and click Finish to complete the replacement.

Additional Information

Powered by Wolken Software