Note: A new improved certificate management/replace tool vCert - Scripted vCenter Expired Certificate Replacement is available. You are encouraged to use vCert to manage all the certificates and related workflows including the workflow of replacing Machine SSL Certificates.
If using Microsoft Certificate Authority for the custom machine cert, and it is not yet configured with a template to use, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (315271).
Launch the VMware Certificate Manager:
vCenter Server 6.x/7.x/8.x Appliance:
/usr/lib/vmware-vmca/bin/certificate-manager
Note: Refer to the below information to enter values for CSR generation.
Country: Two uppercase letters only (Eg. US), the country where the company is located.
Name: FQDN of the vCenter Server (Note: This will be the Certificate Subject Alternate Name)
Organization: Company Name
OrgUnit: The name of the department within the organization. Example: "IT"
State: The state/province where the company is located
Locality: The city where the company is located.
IPAddress: IP Address of vCenter Server
Email: Email Address
Hostname: FQDN of vCenter Server (This field accepts multiple entries separated by comma. For example: VCSA1.vsphere.local,vcsa1,ip address of vCenter Server)
VMCA Name: FQDN of vCenter Server
Make sure the Primary Network Identifier (PNID) matches the Hostname.
To obtain the PNID and hostname please refer to the following command:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f
Provide the vmca_issued_csr.csr to the Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (315372).
Note: For more information on allowing WinSCP connections to a vCenter Server Appliance, see Connecting to vCenter Server Virtual Appliance using WinSCP (326317).
Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.
Note: If one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should be a full chain (leaf) from top down, including machine, inter ca(s), and root certs, in proper order.
The machine_name_ssl.cer should be a complete chain file similar to the order below:
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters> <----- Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters> <----- Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters> <----- Root Certificate
-----END CERTIFICATE-----
For example:
Provide a valid custom certificate for Machine SSL.
File : /tmp/ssl/machine_name_ssl.cer
Provide a valid custom key for Machine SSL.
File : /tmp/ssl/machine_name_ssl.key
Provide the signing certificate of the Machine SSL certificate.
File : /tmp/ssl/Root64.cer
Please Note:- In few scenarios, apart from Root, Intermidiate and SSL certificate. We sometimes receive "Issuer Certificate". This is nothing but a kind of Intermidiate certificate only and has to be a part of chain.
This certificate should be added in same sequence as received from certificate authority.
For Example
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters> <----- Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters> <----- Issuer Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters> <----- Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<alphanumeric certificate characters> <----- Root Certificate
-----END CERTIFICATE-----
How to use vSphere Certificate Manager to Replace SSL Certificates
Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA
Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate
"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x
Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B
Operation failed, performing automatic rollback" error when Certificate Manager fails at 0% replacing certificates
Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x
Obtaining vSphere certificates from a Microsoft Certificate Authority