Replace the Certificate of vCenter Server for Consolidated SDDC

To establish trusted connection with the other SDDC components, you replace the machine SSL certificate on each vCenter Server instance in the region with a custom certificate. The certificate, generated by the CertGenVVD utility, is signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate Active Directory (AD) server.

Table 1. Certificate-Related Files on the vCenter Server Instance
vCenter Server FQDN	Files for Certificate Replacement
sfo01w01vc01.sfo01.rainpole.local	sfo01w01vc01.key sfo01w01vc01.1.cer Root64.cer

Procedure

Open an SSH connection to the sfo01w01vc01.sfo01.rainpole.local virtual machine.

Setting	Value
User name	root
Password	`vcenter_server_root_password`

To allow secure copy (scp) connections for the root user, change the vCenter Server Appliance command shell to the Bash shell .
```
shell
chsh -s "/bin/bash" root
```
Copy the generated certificates to the vCenter Server Appliance.
1. Run the following command to create a new temporary folder.
```
mkdir -p /root/certs
```
2. Copy the certificate files sfo01w01vc01.1.cer, sfo01w01vc01.key, and Root64.cer to the /root/certs folder.
  
  You can use an scp software such as WinSCP.

Replace the CA-signed certificate on the vCenter Server instance.

Start the vSphere Certificate Manager utility on the vCenter Server instance.
```
/usr/lib/vmware-vmca/bin/certificate-manager
```
Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin_password password.

When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller that manages this vCenter Server instance.

vCenter Server instance	IP Address of managing Platform Services Controller
sfo01w01vc01.sfo01.rainpole.local	172.16.11.63

Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).

When prompted, provide the full path to the custom certificate, the root certificate file, and the key file that you copied over earlier, and confirm the import with Yes (Y).

vCenter Server	Input to the vSphere Certificate Manager Utility
sfo01w01vc01.sfo01.rainpole.local	Please provide valid custom certificate for Machine SSL. File : `/root/certs/sfo01w01vc01.1.cer` Please provide valid custom key for Machine SSL. File : `/root/certs/sfo01w01vc01.key` Please provide the signing certificate of the Machine SSL certificate. File : `/root/certs/Root64.cer`

vCenter Server

Input to the vSphere Certificate Manager Utility

sfo01w01vc01.sfo01.rainpole.local

Please provide valid custom certificate for Machine SSL.

File : /root/certs/sfo01w01vc01.1.cer

Please provide valid custom key for Machine SSL.

File : /root/certs/sfo01w01vc01.key

Please provide the signing certificate of the Machine SSL certificate.

File : /root/certs/Root64.cer

When status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.
Open the vSphere Web Client to verify that certificate replacement is successful.
1. Open a Web browser and go to https://sfo01w01vc01.sfo01.rainpole.local/vsphere-client.
2. Verify that you see the new certificate.
Restart the vami-lighttp service to update the certificate on the virtual appliance management interface (VAMI) and to remove certificate files.
```
service vami-lighttp restart
cd /root/certs/
rm sfo01w01vc01.1.cer sfo01w01vc01.key Root64.cer
```