You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA) available on the parent Active Directory (AD) server.

About this task

You must repeat this procedure twice: first on the Platform Services Controller for the Management vCenter Server (mgmt01psc01.sfo01.rainpole.local), and then on the Platform Services Controller for the Compute vCenter Server (comp01psc01.sfo01.rainpole.local).

Table 1. Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate File Name

Replacement Order


  • sfo01psc01.sfo01.1.cer

  • sfo01psc01.sfo01.key

  • root64.cer



  • sfo01psc01.sfo01.1.cer

  • sfo01psc01.sfo01.key

  • root64.cer



  1. Change the Platform Services Controller command shell to the Bash shell to allow secure copy (scp) connections.
    1. SSH to mgmt01psc01.sfo01.rainpole.local and login using the following credentials.







    2. Enter shell and press Enter.
    3. Run the command chsh -s "/bin/bash" root.
  2. Copy the generated certs to the Platform Services Controller.
    1. Use the scp command to copy the contents of the folder C:\CertGenVVD\SignedByMCSACerts\sfo01psc01.sfo01 to the folder /tmp/certs.
    2. Use the scp command to copy the Root64.cer file from the folder C:\CertGenVVD\SignedByMCSACerts\RootCA to the folder/tmp/certs.
  3. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
    3. Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin password.
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate enter /tmp/certs/sfo01psc01.sfo01.1.cer.
    6. When prompted for the custom key enter /tmp/certs/sfo01psc01.sfo01.key.
    7. When prompted for the signing certificate enter /tmp/certs/Root64.cer.
    8. When prompted to Continue operation enter Y.
    9. The Platform Services Controller services will restart automatically.
  4. Repeat steps Step 1 thru Step 3 to replace the certificate on comp01psc01.sfo01.rainpole.local.