You must generate a certificate-signing request (CSR) for each system that requires a replacement certificate.

See the OpenSSL documentation at for information about OpenSSL commands and options.

Edit your OpenSSL configuration file (openssl.cnf) to suit your environment.


Generate the RSA key for the vCenter Server system and the CSR.

For example:

openssl req -new -nodes -out mycsr.csr -config openssl.cnf


When prompted, type the fully qualified host name as the system's commonName.


Send the certificate request to the commercial certificate authority of your choice and wait for the return of the signed certificate.

Or, sign the request using your local root certificate authority:

openssl ca -out rui.crt -config openssl.cnf -infiles mycsr.csr


At the prompt, type the password needed to access the root key.

You have a new generated and signed rui.crt for the specified system, and the private key for the system (rui.key).