Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate
search cancel

Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate

book

Article ID: 316601

calendar_today

Updated On: 04-24-2025

Products

VMware vCenter Server

Issue/Introduction

This article explains how to replace a vCenter Machine SSL certificate with a Custom Certificate Authority (CA) signed certificate:

Notes:
  • For vCenter Server with an embedded Platform Services Controller (PSC), there will be one Machine SSL certificate.
  • For vCenter Server with an external Platform Services Controller, each machine will have its own Machine SSL certificate. Therefore, this task must performed on each machine.
  • VMware does not support the use of wildcard certificates on the vCenter Server. Refer to Certificate Requirements for the Different Solution Paths.

Environment

  • vCenter 7.x
  • vCenter 8.x

Resolution

Note: A new improved certificate management/replace tool  vCert - Scripted vCenter Expired Certificate Replacement is  available. You are encouraged to use vCert to manage all the certificates and related workflows including the workflow of replacing Machine SSL Certificates. 

 

If using Microsoft Certificate Authority for the custom machine cert, and it is not yet configured with a template to use, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (315271).

  1. Launch the VMware Certificate Manager:

    vCenter Server 6.x/7.x/8.x Appliance:
    /usr/lib/vmware-vmca/bin/certificate-manager

  2. Select Option 1 (Replace Machine SSL certificate with custom certificate).
  3. Provide the administrator@vsphere.local password when prompted.
  4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
  5. Enter the directory in to save the certificate signing request and the private key.
    • Note: Refer to the below information to enter values for CSR generation.

      Country:         Two uppercase letters only (Eg. US), the country where the company is located.
      Name:            FQDN of the vCenter Server (Note: This will be the Certificate Subject Alternate Name)
      Organization: Company Name
      OrgUnit:         The name of the department within the organization. Example: "IT"
      State:             The state/province where the company is located
      Locality:         The city where the company is located.
      IPAddress:     IP Address of vCenter Server
      Email:            Email Address
      Hostname:     FQDN of vCenter Server (This field accepts multiple entries separated by comma. For example: VCSA1.vsphere.local,vcsa1,ip address of vCenter Server)
      VMCA Name: FQDN of vCenter Server

    • Make sure the Primary Network Identifier (PNID) matches the Hostname.
      To obtain the PNID and hostname please refer to the following command:

      /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f

    • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.

  6. Provide the vmca_issued_csr.csr to the Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (315372).

    Note: For more information on allowing WinSCP connections to a vCenter Server Appliance, see Connecting to vCenter Server Virtual Appliance using WinSCP (326317).

  7. Return to the vCenter server Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).
  8. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.


    Note: If one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should be a full chain (leaf) from top down, including machine, inter ca(s), and root certs, in proper order.

    The machine_name_ssl.cer should be a complete chain file similar to the order below:

    -----BEGIN CERTIFICATE-----

    <alphanumeric certificate characters> <----- Certificate

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <alphanumeric certificate characters> <----- Intermediate Certificate

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <alphanumeric certificate characters> <----- Root Certificate

    -----END CERTIFICATE-----

    For example:

    Provide a valid custom certificate for Machine SSL.

    File : /tmp/ssl/machine_name_ssl.cer

    Provide a valid custom key for Machine SSL.

    File : /tmp/ssl/machine_name_ssl.key

    Provide the signing certificate of the Machine SSL certificate.

    File : /tmp/ssl/Root64.cer

  9. Answer Yes (Y) to the confirmation request to proceed.

 

Please Note:-    In few scenarios, apart from Root, Intermidiate and SSL certificate. We sometimes receive "Issuer Certificate". This is nothing but a kind of Intermidiate certificate only and has to be a part of chain. 

                            This certificate should be added in same sequence as received from certificate authority.

 

For Example 

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters> <----- Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters> <----- Issuer Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters> <----- Intermediate Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters> <----- Root Certificate

-----END CERTIFICATE-----

Additional Information