VMware vCenter Replace Machine Certificate With Custom CA
This blog contains the procedure to change the vCenter Machine certificate with your own custom certificate. There are different ways to replace the default certificate and therefore it is quite complex.
Note that the self-signed certificates are valid for a maximum of two years. Those certificates will not be renewed automatically. An expired certificate will result in service interruption.
Summary of actions to take:
- Create a CSR request
- Submit the CSR request to the Certificate Authority (CA)
- Save the chain of the certificate in a separate file
- Upload the certificate to the vCenter server
- Run the Certificate manager in order to import the new certificate
- vCenter services will be restarted
Create a CSR Request
- Enable SSH and Bash Shell within the appliance web console https:\\FQDN:5480
- Connect with Putty and WinSCP to the vCenter (or other tools)
- With WinSCP create a subfolder under /tmp/
- With Putty run “/usr/lib/vmware-vmca/bin/certificate-manager”
- Go for option “1” “Replace Machine SSL certificate with custom certificate”
choose option “1”
- Choose option 1 “Generate certificate signing request(s) and Key(s) for machine SSL Certificate
- Output directory path: /tmp/cert
- Specify the properties
| Property | Value |
| Country | Default, specify own. |
| Name | FQDN vCenter |
| Organization | Default, specify own. |
| OrgUnit | Default, specify own. |
| State | Default, specify own. |
| IPAddress | Ip of the vCenter |
| Hostname | FQDN |
| VMCA Name | FQDN |
File are generated at the specified output location. In my case “/tmp/cert”
Submit the CSR request to the Certificate Authority (CA)
- Download the CSR file (VMCA_Issued_CSR.CSR) with WinSCP
- Copy the CSR file to the Certificate Authority (CA) or sub CA
- With cmd run the command “certreq -submit -attrib “CertificateTemplate:WebServer”
- Select the Certificate Authority
- Save the Certificate to the temp folder
- Check the certificate and chain
Save the chain of the certificate in a separate file
- Export the the CA (Base-64 Encoded)
- Export the sub CA (if there is a sub ca 😉 )
When all certificates are exported, you’ve got a list of two or three certificates:
- vCenter certificate
- CA Certificate
- Optional sub CA certificate
During the import of the new vCenter certificate you need to import the certificate chain with a single file. Therefore is the next step neccessary with multiple CA’s
When using multiple CA’s Open each certificate with Notepad++ and copy the hole text of the sub CA and paste it within the CA certificate.
Final steps
- Upload the Certificate and the Chain to the vCenter Appliance ( in my case the “/tmp/cert” folder
- With Putty run “/usr/lib/vmware-vmca/bin/certificate-manager”
- Go for option “1” “Replace Machine SSL certificate with custom certificate”
- Go for option “2” “Import custom Certificate and key(s) to replace existing machine SSL certificate”
- Specify the location of the certificate
- Specify the location of the key file
- Specify the location of the chain certificate file
| Type | Path |
| Machine certificate | /tmp/cert/Cert.cer |
| Key File machine SSL | /tmp/cert/vmca_issued_key.key |
| Chain certificate | /tmp/cert/chain.cer |
After continue the operation, the vCenter server services will be restarted.
Services will be updated with the new custom certificate, therefore the vCenter server services will be restarted.
Done!!! vCenter server is running again and used the custom certificate
Thanks for reading, it was a pleasure to write about replacing the self-signed certificate.
Greetz, Kevin
Thank you for this walk through! I was struggling with getting my vCenter to take a cert from my MS CA but kept getting tls and trustanchor errors. I have a two CA setup, a Root CA and a Policy Issuing CA, and did realize I had to merge the two into a single basecode 64 cert for it to be imported into vCenter 7. Thanks again for this!