Replace vCenter 7.0 Machine Certificate with Internal SSL certificate using vCenter Web Console

 How to replace machine certificate with Internal SSL certificate using vCenter web console

This article is to replace Machine SSL certificate of vCenter 7.0

Login to certificate server 

Open PowerShell and run below command, you need to replace with your vCenter FQDN

Get-Certificate -Template WebServerCustom -SubjectName "CN =DEMOVCSA.vsphere.com,OU = International SOS,O = International SOS,L = Singapore,S = SG,C = SG" -DnsName DEMOVCSA.vsphere.com, DEMOVCSA -CertStoreLocation cert:\LocalMachine\My


MMC-> this computer -> Certificate

Expand the personal certificate folder -> you will see Certificates with the same name have already been created.

Export -> 




Make sure you have selected Export all extended properties



Enter the password


Go to the path where you have exported .pfx file

Now open Win32 OpenSSL command prompt with Administrator privilege




Run Below command after replacing file name


openssl pkcs12 -in C:\Certificate\server\DEMOVCSA.pfx -nocerts -out C:\Certificate\server\DEMOVCSA.key.pem -nodes


Password: Temp@123


openssl pkcs12 -in C:\Certificate\server\DEMOVCSA.pfx -nokeys -out C:\Certificate\server\DEMOVCSA.pem


Now two files will export at given path -> C:\Certificate\server\


DEMOVCSA.key.pem

DEMOVCSA.pem


Now login to vCenter with global permission account


Click on Menu -> Administrator

Under Certificate click Certificate Management


Now go to Machine_Cert -> Actions

Click Import and Replace Certificate



 Select Relace with external CA Certificates Private Key




Click Next


Open VCSADEMO.Pem file in notepad from C:\Certificate\server\

Copy -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste


Copy second Key and paste in 


Now open another file sin1vsyvvc001.key in Notepad and paste it in



Then click Replace



Now you will see the message certificate import completed successfully and you will be asked to re-login


It will take some time in bringing up the service

Once the service is up you need to open the vCenter web console and from there you can see certificate status, now it should show a trusted certificate.
By at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Featured Post

HPE MSA 2040 configuration step by step

HPE MSA 2040 configuration Default IP range for HP SAN storage MSA 2040 is 10.0.0.1/2 You need to connect your laptop and storage with...