• For vCenter Server with an embedded Platform Services Controller (PSC), there will be one Machine SSL certificate.
• For vCenter Server with an external Platform Services Controller, each machine will have its own Machine SSL certificate. Therefore, this task must performed on each machine.
• VMware does not support the use of wildcard certificates on the vCenter Server. Refer to Certificate Requirements for the Different Solution Paths.

Note: A new improved certificate management/replace tool  vCert - Scripted vCenter Expired Certificate Replacement is  available. You are encouraged to use vCert to manage all the certificates and related workflows including the workflow of replacing Machine SSL Certificates. 

If using Microsoft Certificate Authority for the custom machine cert, and it is not yet configured with a template to use, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (315271).

1. Launch the VMware Certificate Manager:

   vCenter Server 6.x/7.x/8.x Appliance:
   /usr/lib/vmware-vmca/bin/certificate-manager

2. Select Option 1 (Replace Machine SSL certificate with custom certificate).
3. Provide the administrator@vsphere.local password when prompted.
4. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
5. Enter the directory in to save the certificate signing request and the private key.

   • Note: Refer to the below information to enter values for CSR generation.

     Country:         Two uppercase letters only (Eg. US), the country where the company is located.
     Name:            FQDN of the vCenter Server (Note: This will be the Certificate Subject Alternate Name)
     Organization: Company Name
     OrgUnit:         The name of the department within the organization. Example: "IT"
     State:             The state/province where the company is located
     Locality:         The city where the company is located.
     IPAddress:     IP Address of vCenter Server
     Email:            Email Address
     Hostname:     FQDN of vCenter Server (This field accepts multiple entries separated by comma. For example: VCSA1.vsphere.local,vcsa1,ip address of vCenter Server)
     VMCA Name: FQDN of vCenter Server

   • Make sure the Primary Network Identifier (PNID) matches the Hostname.
     To obtain the PNID and hostname please refer to the following command:

     /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost && hostname -f

   • The files created will have the names vmca_issued_csr.csr and vmca_issued_key.key.
     
     

6. Provide the vmca_issued_csr.csr to the Certificate Authority to generate a Machine SSL Certificate, name the file machine_name_ssl.cer. For more information, see Obtaining vSphere certificates from a Microsoft Certificate Authority (315372).

   Note: For more information on allowing WinSCP connections to a vCenter Server Appliance, see Connecting to vCenter Server Virtual Appliance using WinSCP (326317).

7. Return to the vCenter server Certificate Manager and select Option 1 (Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate).

8. Provide the full path to machine_name_ssl.cer and vmca_issued_key.key from Step 5 and the CA certificate Root64.cer.

   
   Note: If one or more intermediate certificate authorities, the root64.cer should be a chain of all intermediate CA and Root CA certificates. The "machine_name_ssl.cer" should be a full chain (leaf) from top down, including machine, inter ca(s), and root certs, in proper order.

   The machine_name_ssl.cer should be a complete chain file similar to the order below:

   -----BEGIN CERTIFICATE-----

   <alphanumeric certificate characters> <----- Certificate

   -----END CERTIFICATE-----

   -----BEGIN CERTIFICATE-----

   <alphanumeric certificate characters> <----- Intermediate Certificate

   -----END CERTIFICATE-----

   -----BEGIN CERTIFICATE-----

   <alphanumeric certificate characters> <----- Root Certificate

   -----END CERTIFICATE-----
   
   

   For example:

   Provide a valid custom certificate for Machine SSL.

   File : /tmp/ssl/machine_name_ssl.cer

   Provide a valid custom key for Machine SSL.

   File : /tmp/ssl/machine_name_ssl.key

   Provide the signing certificate of the Machine SSL certificate.

   File : /tmp/ssl/Root64.cer
   
   

9. Answer Yes (Y) to the confirmation request to proceed.