You can use PowerCLI to change
the Machine SSL certificate of a vCenter
Server
system. For a custom certificate, you must generate a certificate signing request (CSR) and
send it to the certificate authority (CA) of your choice.
Procedure
- (Optional)
Retrieve the current Machine SSL
certificate of the vCenter
Server
system.
Get-VIMachineCertificate -VCenterOnly
- Generate a CSR.
$csrParams = @{
Country="US"
Email="[email protected]"
Locality="San Francisco"
Organization="My Company"
OrganizationUnit="PowerCLI"
StateOrProvince="California"
}
$csr = New-VIMachineCertificateSigningRequest @csrParams
- Save the CSR to your system.
$csr.CertificateRequestPEM | Out-File "C:\Users\jdoe\Downloads\vc.csr.pem" -Force
- Send the CSR to the CA of your choice.
- Save the issued custom certificate to your system.
- Set the new custom certificate to the vCenter
Server system.
$vcCert = Get-Content "C:\Users\jdoe\Downloads\vc.cert.jdoe.pem" -Raw
Set-VIMachineCertificate -PemCertificate $vcCert
Note:
Starting with vSphere 8.0
Update 2, restart of vCenter Server services after the certificate change is no
longer necessary. The certificate replacement is completed seamlessly
and all your sessions remain active.
For older vSphere versions,
the change of the Machine SSL certificate triggers a restart of
vCenter Server. Wait
for the system to reboot and log in when available.