Change the Machine SSL Certificate of vCenter Server

You can use PowerCLI to change the Machine SSL certificate of a vCenter Server system. For a custom certificate, you must generate a certificate signing request (CSR) and send it to the certificate authority (CA) of your choice.

Prerequisites

  • Verify that you are connected to a vCenter Server system.

  • Verify that the root certificate of the CA you are going to use is added to the trusted root store of vCenter Server.

Procedure

  1. (Optional) Retrieve the current Machine SSL certificate of the vCenter Server system. 
    Get-VIMachineCertificate -VCenterOnly
  2. Generate a CSR.
    $csrParams = @{
    Country="US"
    Email="[email protected]"
    Locality="San Francisco"
    Organization="My Company"
    OrganizationUnit="PowerCLI"
    StateOrProvince="California"
}
$csr = New-VIMachineCertificateSigningRequest @csrParams
  3. Save the CSR to your system.
    $csr.CertificateRequestPEM | Out-File "C:\Users\jdoe\Downloads\vc.csr.pem" -Force
  4. Send the CSR to the CA of your choice.
  5. Save the issued custom certificate to your system.
  6. Set the new custom certificate to the vCenter Server system.
    $vcCert = Get-Content "C:\Users\jdoe\Downloads\vc.cert.jdoe.pem" -Raw
Set-VIMachineCertificate -PemCertificate $vcCert
    Important:

    The change of the Machine SSL certificate triggers a restart of vCenter Server. Wait for the system to reboot and login when available.