Change the Machine SSL Certificate of vCenter Server

You can change the machine SSL certificate of a vCenter Server system by using the TLS and the TLS CSR interfaces of the vSphere Automation API.

The machine SSL certificate is used for server verification and for secure communication such as HTTPS or LDAPS. The machine certificates are the human-facing certificates in vSphere. They are used to create an SSL socket on the server side to which SSL clients can then connect.

Changing the machine SSL certificate with one issued by an official or enterprise certificate authority is an essential part of the Hybrid Mode of vSphere certificate management. In this mode, you replace the machine SSL certificate and you leave the VMCA to manage all other certificates automatically. The VMCA is a just-enough internal certificate authority that comes integral with your vSphere deployment. It has been purpose-built to serve the certificate needs of your vSphere environment. For more information on vSphere certificate management, see the vSphere Authentication guide.

Prerequisites

  • Verify that the root certificate of the CA you are going to use is available on your machine.
  • Verify that you have the required privileges: CertificateManagement.Administer and CertificateManagement.Manage.

Procedure

  1. (Optional) Retrieve the current machine SSL certificate of your vCenter Server system by calling the get function of the Tls interface.
  2. Generate a certificate signing request (CSR) by using the TlsCsr interface.
    1. Create a new object of type TlsCsrTypes.Spec by using the following parameters/methods.

      Parameter/Method

      Description

      setCountry / country

      Specify the country in the certificate subject.

      setStateOrProvince / state_or_province

      Specify the state or province in the certificate subject.

      setLocality / locality

      Specify the locality in the certificate subject.

      setOrganization / organization

      Specify the organization in the certificate subject.

      setOrganizationUnit / organization_unit

      Specify the organization unit in the certificate subject.

      setEmailAddress / email_address

      Specify the email address in the certificate subject.
    2. Create the CSR by calling the create(TlsCsrTypes.Spec) method and passing the CSR specification.

    The system returns the CSR in PEM format.

  3. Save the CSR to your machine.
  4. Send the CSR to the certificate authority of your choice.
    Note:

    The private key corresponding to the public key generated by the CSR is stored in the vCenter Server keystore and does not leave your system.

  5. Save the issued third-party machine SSL certificate to your machine.
  6. Set the new custom certificate to your vCenter Server system by using the Tls service.
    1. Create a new object of type TlsTypes.Spec by using the following parameters/methods.

      Parameter/Method

      Description

      setCert / cert

      The Machine SSL certificate in PEM format. You must also paste the intermediate CA certificate, if you have one.

      setRootCert / root_cert

      The third-party root CA certificate in PEM format. You must also paste the intermediate CA certificate, if you have one.

      Note:

      You must not provide the private key as it was generated with the CSR and is already present on your system.

    2. Set the new certificate to your vCenter Server system by calling the set(TlsTypes.Spec) method and passing the TLS specification as an argument.

Results

The services using the certificate restart automatically. Wait for your system to reboot and log in.