Replacing default certificates in vSphere 6 – Part 3

This is the third blog post in the Replacing default certificates in vSphere 6 series. The first post can be found here. The second is here.

In this bog post we will take a look at replacing the certificates on the External Platform Services Controller (PSC) server.

Before we get into the details, let us make sure the external PSC is installed on a windows server.


Select the vCenter for Windows option and install the external PSC.


Since this is a blog series on the certificate replacement, we will skip the installation bit of it and move on to next steps.


Post installation, we need to navigate to the location “C:\Program Files\VMware\vCenter Server\vmcad


Once in the location, launch the certificate-manager tool which comes in-built from vCenter 6.0. This tool automates the process of generating the cert request for signing and also updates the certificates for VC and PSC. Choose option 1 (Replace Machine SSL certificates with custom certificates)


Now choose option 1 again to generate signing request and key for machine SSL certificates. Now input the location where these cert requests and the key will be placed. We will use “C:\Certs“.


Enter all the details for the certificate to be generated with as shown in the next window.


Now enter the details for SSO administrator user and password.


We can navigate to “C:\Certs” and check for the generated files. We will see two files. CSR and .Key. Do not close the command window.


The next step involves getting the CSR signed by a certificate authority (CA). We will have to login into the CA server and click on “Request a certificate”


Now click on advanced certificate request.


Open the csr file and copy all the content without any spaces.


Paste the content copied from the csr file into the empty space in the cert request. Select the certificate template which we created in our first blog post and click submit.


Now download the signed certificate in Base 64 encoded format.


Save this under C:\Certs.


Come back to the command window (I had to switch to powershell for some compatibility reasons). Click on option 1 which will continue the importing of these signed certificates.


Provide the location for the newly generated signed certificate, the Key file generated initially and CA certificate obtained in the previous post.


Once this is input, the tool automatically updates all the services with the new certificates.


Once this process is complete we can point the browser to the PSC URl and make sure the new certificate has been picked up. A reboot might be required.


The next step is to replace the certificate for the VC server.

Leave a Reply