To establish trusted connection with the other SDDC components, you replace the machine SSL certificate on each vCenter Server instance in the region with a custom certificate. The certificate, generated by the CertGenVVD utility, is signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate Active Directory (AD) server.

Table 1. Certificate-Related Files on the vCenter Server Instance

vCenter Server FQDN

Files for Certificate Replacement


  • sfo01w01vc01.key

  • sfo01w01vc01.1.cer

  • Root64.cer


  1. Log in to vCenter Server by using Secure Shell (SSH) client.
    1. Open an SSH connection to the sfo01w01vc01.sfo01.rainpole.local virtual machine.
    2. Log in using the following credentials.



      User name




  2. To allow secure copy (scp) connections for the root user, change the vCenter Server Appliance command shell to the Bash shell .
    chsh -s "/bin/bash" root
  3. Copy the generated certificates to the vCenter Server Appliance.
    1. Run the following command to create a new temporary folder.
      mkdir -p /root/certs
    2. Copy the certificate files sfo01w01vc01.1.cer, sfo01w01vc01.key, and Root64.cer to the /root/certs folder.

      You can use an scp software such as WinSCP.

  4. Replace the CA-signed certificate on the vCenter Server instance.
    1. Start the vSphere Certificate Manager utility on the vCenter Server instance.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin_password password.
    3. When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller that manages this vCenter Server instance.

      vCenter Server instance

      IP Address of managing Platform Services Controller


    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted, provide the full path to the custom certificate, the root certificate file, and the key file that you copied over earlier, and confirm the import with Yes (Y).

      vCenter Server

      Input to the vSphere Certificate Manager Utility


      Please provide valid custom certificate for Machine SSL.

      File : /root/certs/sfo01w01vc01.1.cer

      Please provide valid custom key for Machine SSL.

      File : /root/certs/sfo01w01vc01.key

      Please provide the signing certificate of the Machine SSL certificate.

      File : /root/certs/Root64.cer

  5. When status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.
  6. Open the vSphere Web Client to verify that certificate replacement is successful.
    1. Open a Web browser and go to https://sfo01w01vc01.sfo01.rainpole.local/vsphere-client.
    2. Verify that you see the new certificate.
  7. Restart the vami-lighttp service to update the certificate on the virtual appliance management interface (VAMI) and to remove certificate files.
    service vami-lighttp restart
    cd /root/certs/
    rm sfo01w01vc01.1.cer sfo01w01vc01.key Root64.cer