The replacement certificate reencrypts all host passwords and the database password by using the new certificate.

Use a browser to connect to the vCenter Server system and view the existing certificate. Take a screenshot or otherwise record the details of the existing certificate. After you load the new certificates into memory, you can use the screenshot to verify that the certificate was successfully replaced by comparing the old certificate to the new certificate. The method to view the certificate varies depending on the browser you are using. See your browser's documentation for more information.

Verify that you have administrator privileges on the system.

Acquire or generate the following files:

X.509 certificate file with RSA public key in PEM format, named rui.crt

RSA private key in PEM format, named rui.key

PKCS12 bundle of the same certificate and key, named rui.pfx

Note

You do not need to update the keystore files sms.keystore and sms.truststore. SMS populates these files.

1

Use a browser to connect to the vCenter Server system and view the existing certificate.

The method to view the certificate varies depending on the browser you are using. See your browser's documentation for more information.

2

Take a screenshot or otherwise record the details of the existing certificate.

After you load the new certificates into memory, you can use the screenshot to verify that the certificate was successfully replaced by comparing the old certificate to the new certificate.

3

On the server system, locate the SSL directory for vCenter Server.

For Windows 2008, the location is typically C:\Program Data\VMware\VMware VirtualCenter\SSL.

For Windows 2003, the location is typically C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL.

4

Back up the three existing certificate files: rui.crt, rui.key, and rui.pfx.

5

Copy the new certificate files into the SSL directory, overwriting the existing certificates.

6

Using a browser on the vCenter Server system, connect to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1

If you use a browser on another system, connect to https://vSphere_server_system/mob/?moid=vpxd-securitymanager&vmodl=1

7

Enter the administrator name and password for the vCenter Server system.

The Managed Object Type: vpxSecurityManager Web page appears.

8

Under Methods, click reloadSslCertificate.

9

Click Invoke Method.

The following message appears: Method Invocation Result: void.

10

On the vCenter Server system, restart VMware vCenter Management Webservices.

Linked Mode and other features will not function if you do not restart this service. Because the certificate thumbprint is published as Linked Mode shared information, it might take some time to replicate to the other vCenter Server instances in the Linked Mode group.

11

Replace the certificate used by the vCenter Server Inventory Service.

a

Copy rui.key, rui.crt, and rui.pfx to the vCenter Server Inventory Service installation directory.

For example, C:\Program Files\VMware\Infrastructure\Inventory Service\SSL\.

b

Restart the Inventory Service using the Control Panel on the Windows system.

12

Refresh the page in the browser window and verify that the new certificate is installed by comparing it to the old certificate you recorded in Step 2.

If you installed the new certificate successfully, all host passwords and the database password are reencrypted using the new certificate. If your installation was unsuccessful (for example, the new certificate does not appear to load, vCenter Server cannot connect to managed hosts, or vCenter Server cannot connect to the database), see the vSphere Troubleshooting documentation.