Replacing default certificates in vSphere 6 – Part 2

This is the second blog post in the Replacing default certificates in vSphere 6 series. The first post can be found here.

In this blog post we take a look at how to obtain a CA certificate from the CA authority.

Now that we have a CA up and running and the certificate template create for vSphere 6, we can go ahead and download the CA root certificate which we will be using to generate the signing request for vSphere components.

Login into the CA server through a web browser by pointing it to https://<CA-Server>/certsrv. Then click on the Download a CA certificate, certificate chain, or CRL option.


In the next window, select the radio button Base 64 and click on Download CA certificate chain.


This will save the certificate in the p7b format. Save it, open it with the certificate viewer tool and then export it to the .cer format. the p7b is a chain and cannot be used in the process of signing the request or replacing the certificates.



This has to be saved at a location (C:\Certs in our case) so we can use this later. This folder is created on the PSC machine as we will be replacing the certificates in PSC and then proceeding on to the vCenter server.


NOw we can proceed to the next step which is generating the signing requests for the PSC and getting them signed by the CA authority.


Leave a Reply