After you generate the SDDC management certificates by using the CertGenVVD utility on a Windows host that has access to the data center, replace the SSL certificate on the Platform Services Controller instance in the Consolidated SDDC with a custom certificate that is signed by the certificate authority (CA).

About this task

The certificate must have a common name that is equal to the Fully Qualified Domain Name (FQDN) of the Platform Services Controller. The short name of the Platform Services Controller must be in the Subject Alternate Name (SAN) of the generated certificate.

Table 1. Certificate-Related Files on Platform Services Controller

Platform Services Controller

Certificate File Name


  • sfo01w01psc01.key

  • sfo01w01psc01.1.cer

  • chainRoot64.cer


  1. Log in to the Platform Services Controller by using a Secure Shell (SSH) client.
    1. Open an SSH connection to sfo01w01psc01.sfo01.rainpole.local.
    2. Log in using the following credentials.



      User name




  2. Run the following command to enable Bash shell access for the root user.
    chsh -s "/bin/bash" root
  3. Copy the generated certificates from the Windows host to the Platform Services Controller.
    1. Run the following command to create a new temporary folder
      mkdir -p /root/certs
    2. Copy the certificate files sfo01w01psc01.1.cer, sfo01w01psc01.key and chainRoot64.cer to the /root/certs folder.

      You can use an scp software like WinSCP.

  4. Replace the certificate on the Platform Services Controller.
    1. Start the vSphere Certificate Manager utility on the Platform Services Controller.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate).
    3. Enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin password.
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /root/certs/sfo01w01psc01.1.cer.
    6. When prompted for the custom key, enter /root/certs/sfo01w01psc01.key.
    7. When prompted for the signing certificate, enter /root/certs/chainRoot64.cer.
    8. When prompted to Continue operation, enter Y.
    9. The Platform Services Controller services restarts automatically.
  5. Verify that the new certificate has been installed successfully.
    1. Open a Web Browser and go to https://sfo01w01psc01.sfo01.rainpole.local.
    2. Verify that the Web browser shows the new certificate.
  6. After Certificate Manager replaces the certificates, run the following commands in the SSH terminal to restart the vami-lighttp service and to remove certificate files.
    service vami-lighttp restart
    cd /root/certs
    rm sfo01w01psc01.1.cer sfo01w01psc01.key chainRoot64.cer
  7. Switch the shell back to the appliance shell.
    chsh -s /bin/appliancesh root