Change the Machine SSL Certificate of vCenter Server

You can use PowerCLI to change the Machine SSL certificate of a vCenter Server system. For a custom certificate, you must generate a certificate signing request (CSR) and send it to the certificate authority (CA) of your choice.

Prerequisites

  • Verify that you are connected to a vCenter Server system.

  • Verify that the root certificate of the CA you are going to use is added to the trusted root store of vCenter Server.

Procedure

  1. (Optional) Retrieve the current Machine SSL certificate of the vCenter Server system.
    Get-VIMachineCertificate -VCenterOnly
  2. Generate a CSR.
    $csrParams = @{
        Country="US"
        Email="[email protected]"
        Locality="San Francisco"
        Organization="My Company"
        OrganizationUnit="PowerCLI"
        StateOrProvince="California"
    }
    $csr = New-VIMachineCertificateSigningRequest @csrParams
  3. Save the CSR to your system.
    $csr.CertificateRequestPEM | Out-File "C:\Users\jdoe\Downloads\vc.csr.pem" -Force
  4. Send the CSR to the CA of your choice.
  5. Save the issued custom certificate to your system.
  6. Set the new custom certificate to the vCenter Server system.
    $vcCert = Get-Content "C:\Users\jdoe\Downloads\vc.cert.jdoe.pem" -Raw
    Set-VIMachineCertificate -PemCertificate $vcCert
    Note:

    Starting with vSphere 8.0 Update 2, restart of vCenter Server services after the certificate change is no longer necessary. The certificate replacement is completed seamlessly and all your sessions remain active.

    For older vSphere versions, the change of the Machine SSL certificate triggers a restart of vCenter Server. Wait for the system to reboot and log in when available.