After you replace the Platform Services Controller certificate, you replace the vCenter Server machine SSL certificate.

About this task

You replace certificates twice, once for each vCenter Server instance.  You can start replacing certificates on Management vCenter Server mgmt01vc51.lax01.rainpole.local first.

Table 1. Certificate-Related Files on the vCenter Server Instances

vCenter Server FQDN

Files for Certificate Replacement

Replacement Order

mgmt01vc51.lax01.rainpole.local

  • mgmt01vc51.lax01_ssl.key

  • mgmt01vc51.lax01.1.cer

  • chainRoot64.cer

After you replace the certificate on the management Platform Services Controller.

comp01vc51.lax01.rainpole.local

  • comp01vc51.lax01_ssl.key

  • comp01vc51.lax01.1.cer

  • chainRoot64.cer

After you replace the certificate on the compute Platform Services Controller.

Procedure

  1. Use the scp command, FileZilla, or WinSCP to copy the machine and CA certificate files to the /tmp/ssl directory on the Management vCenter Server.

    Use the scp command, FileZilla, or WinSCP to copy the files.

  2. Log in to the vCenter Server instance by using Secure Shell client.
    1. Open an SSH connection to the FQDN of the vCenter Server appliance.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      vcenter_server_root_password

  3. Replace the CA-signed certificate on the vCenter Server instance.
    1. From the SSH client connected to the vCenter Server instance, add the Root certificate to the VMware Endpoint Certificate Store as a Trusted Root Certificate using following command and enter the vCenter Single Sign-On password when prompted.
      /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert /tmp/ssl/chainRoot64.cer 
    2. Start the vSphere Certificate Manager utility on the vCenter Server instance.
      /usr/lib/vmware-vmca/bin/certificate-manager
    3. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin-password password.
    4. When prompted for the Infrastructure Server IP, provide the IP address of the Platform Services Controller that manages this vCenter Server instance.

      vCenter Server

      IP Address of Connected Platform Services Controller

      mgmt01vc51.lax01.rainpole.local

      172.17.11.61

      comp01vc51.lax01.rainpole.local

      172.17.11.63

    5. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    6. When prompted, provide the full path to the custom certificate, the root certificate file, and the key file that have been generated by vSphere Certificate Manager earlier, and confirm the import with Yes (Y).

      vCenter Server

      Path to Certificate-Related Files

      mgmt01vc51.lax01.rainpole.local

      Please provide valid custom certificate for Machine SSL.

      File: /tmp/ssl/mgmt01vc51.lax01.1.cer

      Please provide valid custom key for Machine SSL.

      File: /tmp/ssl/mgmt01vc51.lax01.key

      Please provide the signing certificate of the Machine SSL certificate

      File: /tmp/ssl/chainRoot64.cer

      comp01vc51.lax01.rainpole.local

      Please provide valid custom certificate for Machine SSL.

      File: /tmp/ssl/comp01vc51.lax01.1.cer

      Please provide valid custom key for Machine SSL.

      File: /tmp/ssl/comp01vc51.lax01.key

      Please provide the signing certificate of the Machine SSL certificate

      File: /tmp/ssl/chainRoot64.cer

  4. After Status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.




  5. After you replace the certificate on the mgmt01vc51.lax01.rainpole.local, repeat the procedure to replace the certificate on the compute vCenter Server comp01vc51.lax01.rainpole.local.