Replacing default certificates in vSphere 6 – Part 4

In the previous blog post we saw how to replace the SSL certificate for the PSC component of the vCenter server. So this brings us to the final blog post of the series. In this blog post we will look at the steps to replace the certificate for the vCenter server service.

If you have worked with the replacing the SSL certificates for version 5.x, this would be a cakewalk. The fact that certificate request generation and processing is automated and there is single step for replacing certificates for all the services such as vCenter Service, Inventory Service and Web-client, opposed to doing it individually in the previous versions, makes life easier for the engineers by minimizing the number of tasks involved in certificate replacement process.

Since the focus here is to explore the steps in replacing the SSL certs, I will skip the details involved in the installation of the vCenter components. I have included some screenshots of the installation below so we don’t break the flow.



Post installation, we need to navigate to the location “C:\Program Files\VMware\vCenter Server\vmcad


Once in the location, launch the certificate-manager tool which comes in-built from vCenter 6.0. This tool automates the process of generating the cert request for signing and also updates the certificates for VC and PSC. Choose option 1 (Replace Machine SSL certificates with custom certificates)


Now choose option 1. Enter the IP/FQDN for the vCenter server and the credentials for the SSO administrator.


Choose option 1 again to generate the certificate for CA signing. Input all the details for the cert generation. Give the path for the CSR and Key file to be placed in. In our case this is C:\Certs. Do not close the window.


Once the CSR and Key files are generated, we can get  them signed by the CA server.


Open the CSR file using the notepad and copy the content. Point the browser to the certsrv url and click on “Request a certificate”. Follow the steps and download the 64 bit encoded .cer file which is signed by the CA.


Rename it as “Machine_ssl” or anything of  your preference. Download the CA chain and generate the cer file for CA server. Refer previous articles to see how this is done.


Now, go back to the command window and click on option 1 to resume the importing process of the signed certificate. Provide the path for signed certificate, CA server’s certificate and the key file that was generated earlier. Click Y to start replacing the certs.


This will take a while and you should see the message below that the process completed successfully.


Now check the VC certificate to make sure the new certificate is showing up on the browser. Don’t forget to flush the cache if the new cert does not show up on the  browser.


That concludes the steps involved in replacing SSL certificates in vSphere 6.

Hope this was helpful.

Leave a Reply