You can use PowerCLI to change the Machine SSL certificate of a vCenter Server system. For a custom certificate, you must generate a certificate signing request (CSR) and send it to the certificate authority (CA) of your choice.
Procedure
- (Optional) Retrieve the current Machine SSL certificate of the vCenter Server system.
Get-VIMachineCertificate -VCenterOnly
- Generate a CSR.
$csrParams = @{
Country="US"
Email="[email protected]"
Locality="San Francisco"
Organization="My Company"
OrganizationUnit="PowerCLI"
StateOrProvince="California"
}
$csr = New-VIMachineCertificateSigningRequest @csrParams
- Save the CSR to your system.
$csr.CertificateRequestPEM | Out-File "C:\Users\jdoe\Downloads\vc.csr.pem" -Force
- Send the CSR to the CA of your choice.
- Save the issued custom certificate to your system.
- Set the new custom certificate to the vCenter Server system.
$vcCert = Get-Content "C:\Users\jdoe\Downloads\vc.cert.jdoe.pem" -Raw
Set-VIMachineCertificate -PemCertificate $vcCert
Note:
Starting with vSphere 8.0 Update 2, restart of vCenter Server services after the certificate change is no longer necessary. The certificate replacement is completed seamlessly and all your sessions remain active.
For older vSphere versions, the change of the Machine SSL certificate triggers a restart of vCenter Server. Wait for the system to reboot and log in when available.
