After you replace the Platform Services Controller certificate, you replace the vCenter Server machine SSL certificate.  You generate a vCenter Server certificate manually or by using the CertGenVVD tool.

You replace certificates twice, once for each vCenter Server instance.  You can start replacing certificates on Management vCenter Server mgmt01vc01.sfo01.rainpole.local first.

Certificate-Related Files on the vCenter Server Instances

vCenter Server FQDN

Files for Certificate Replacement

Replacement Order

mgmt01vc01.sfo01.rainpole.local

mgmt01vc01.sfo01.key

mgmt01vc01.sfo01.1.cer

chainRoot64.cer

After you replace the certificate on the management Platform Services Controller.

comp01vc01.sfo01.rainpole.local

comp01vc01.sfo01.key

comp01vc01.sfo01.1.cer

chainRoot64.cer

After you replace the certificate on the compute Platform Services Controller.

1

Use the scp command, FileZilla, or WinSCP to copy the machine and CA certificate files from above to the /tmp/ssl directory on the Management vCenter Server.

2

Log in to the vCenter Server instance by using Secure Shell client.

a

Open an SSH connection to the FQDN of the vCenter Server appliance mgmt01vc01.sfo01.rainpole.local.

b

Log in using the following credentials.

Setting

Value

User name

root

Password

vcenter_server_root_password

3

Replace the CA-signed certificate on the vCenter Server instance.

a

From the SSH client connected to the vCenter Server instance, add the root certificate to the VMware Endpoint Certificate Store as a Trusted Root Certificate using following command and enter the vCenter Single Sign-On password when prompted.

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ssl/chainRoot64.cer
b

Start the vSphere Certificate Manager utility on the vCenter Server instance.

/usr/lib/vmware-vmca/bin/certificate-manager
c

Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin_password password.

d

When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller that manages this vCenter Server instance.

Option

IP Address of Connected Platform Services Controller

mgmt01vc01.sfo01.rainpole.local

172.16.11.61

comp01vc01.sfo01.rainpole.local

172.16.11.63

e

Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).

f

When prompted, provide the full path to the custom certificate, the root certificate file, and the key file that have been generated by vSphere Certificate Manager earlier, and confirm the import with Yes (Y).

vCenter Server

Input to the vSphere Certificate Manager Utility

mgmt01vc01.sfo01.rainpole.local

Please provide valid custom certificate for Machine SSL.

File : /tmp/ssl/mgmt01vc01.sfo01.1.cer

Please provide valid custom key for Machine SSL.

File : /tmp/ssl/mgmt01vc01.sfo01.key

Please provide the signing certificate of the Machine SSL certificate.

File : /tmp/ssl/chainRoot64.cer

comp01vc01.sfo01.rainpole.local

Please provide valid custom certificate for Machine SSL.

File : /tmp/ssl/comp01vc01.sfo01.1.cer

Please provide valid custom key for Machine SSL.

File : /tmp/ssl/comp01vc01.sfo01.key

Please provide the signing certificate of the Machine SSL certificate.

File : /tmp/ssl/chainRoot64.cer 

4

After Status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.

5

After you replace the certificate on the mgmt01vc01.sfo01.rainpole.local vCenter Server, repeat the procedure to replace the certificate on the compute vCenter Server comp01vc01.sfo01.rainpole.local.