Тo establish trusted connection with the other SDDC management components, you replace the machine SSL certificate on each vCenter Server instance in the region with a custom certificate signed by the certificate authority (CA) available on the parent Active Directory (AD) server or on the intermediate Active Directory (AD) server.

Table 1. Certificate-Related Files on the vCenter Server Instances
vCenter Server FQDN Files for Certificate Replacement
  • lax01m01vc01.key
  • lax01m01vc01.1.cer
  • Root64.cer


  • CA-signed certificate files generated by using VMware Validated Design Certificate Generation Utility (CertGenVVD). See the VMware Validated Design Planning and Preparation documentation.
  • A Windows host with an SSH terminal access software such as PuTTY and an scp software such as WinSCP installed.


  1. Log in to vCenter Server by using Secure Shell (SSH) client.
    1. Open an SSH connection to the virtual machine lax01m01vc01.lax01.rainpole.local.
    2. Log in using the following credentials.
      Setting Value
      User name root
      Password vcenter_server_root_password
  2. Change the vCenter Server appliance command shell to the Bash shell to allow secure copy (SCP) connections for the root user.
    chsh -s "/bin/bash" root
  3. Copy the generated certificates from the Windows host where you run the CertGenVVD utility to the vCenter Server Appliance.
    1. Run the following command to create a new temporary folder.
      mkdir -p /root/certs
    2. Copy the certificate files lax01m01vc01.1.cer, lax01m01vc01.key, Root64.cer from the Windows host where you run the CertGenVVD utility to the /root/certs folder on the vCenter Server Appliance.
      You can use an SCP software such as WinSCP.
  4. Replace the CA-signed certificate on the vCenter Server instance.
    1. Start the vSphere Certificate Manager utility on the vCenter Server instance.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name administrator@vsphere.local and the vsphere_admin-password password.
    3. When prompted for the Infrastructure Server IP, enter the IP address of the Platform Services Controller that manages this vCenter Server instance.
      vCenter Server instance IP Address of managing Platform Services Controller
    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted, provide the full path to the custom certificate, the root certificate file, and the key file that you generated earlier, and confirm the import with Yes (Y).
      vCenter Server Input to the vSphere Certificate Manager Utility

      Please provide valid custom certificate for Machine SSL.

      File: /root/certs/lax01m01vc01.1.cer

      Please provide valid custom key for Machine SSL.

      File: /root/certs/lax01m01vc01.key

      Please provide the signing certificate of the Machine SSL certificate

      File: /root/certs/Root64.cer

  5. After Status shows 100% Completed, wait several minutes until all vCenter Server services are restarted.
  6. Run the following command to restart the vami-lighttp service and to remove certificate files.
    service vami-lighttp restart
    cd /root/certs
    rm lax01m01vc01.1.cer lax01m01vc01.key Root64.cer