You replace the machine SSL certificate on vCenter Server with a custom certificate that is signed by a certificate authority.

About this task

Table 1. Certificate-Related Files on the vCenter Server Instance

vCenter Server FQDN

Files for Certificate Replacement


  • sfo01w01vc01.sfo01.key

  • sfo01w01vc01.sfo01.1.cer

  • Root64.cer


  • CA-signed certificate files generated by using VMware Validated Design Certificate Generation Utility (CertGenVVD). See the VMware Validated Design Planning and Preparation documentation.

  • A Windows host with an SSH terminal access software such as PuTTY and an scp software such as WinSCP installed.


  1. Change the vCenter Server appliance command shell to the Bash shell to allow secure copy (scp) connections.
    1. Open an SSH connection to sfo01w01vc01.sfo01.rainpole.local.
    2. Log in using the following credentials.



      User name




    3. Run the following commands to enable Bash shell access for the root user.
      chsh -s "/bin/bash" root
  2. Copy the generated certificates to the vCenter Server Appliance.
    1. Run the following command to create a new temporary folder.
      mkdir -p /root/certs
    2. Copy the certificate files sfo01w01vc01.1.cer, sfo01w01vc01.key and Root64.cer to the /root/certs folder.

      You can use an scp software such as WinSCP.

  3. Replace the certificate on the vCenter Server instance.
    1. Start the vSphere Certificate Manager utility on the vCenter Server instance.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin_password password.
    3. When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted for the custom certificate, enter /tmp/certs/sfo01w01vc01.sfo01.1.cer.
    6. When prompted for the custom key, enter /tmp/certs/sfo01w01vc01.sfo01.key.
    7. When prompted for the signing certificate, enter /tmp/certs/Root64.cer.
    8. When prompted to Continue operation, enter Y.
  4. After Status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.
  5. Run the following commands to restart the vami-lighttp service and to remove certificate files.
    service vami-lighttp restart
    cd /root/certs/
    rm sfo01w01vc01.1.cer sfo01w01vc01.key Root64.cer