To establish a trusted connection to the other SDDC management components, you replace the default SSL certificate on the vCenter Server instance in the workload domain with a custom certificate that is signed by the certificate authority (CA) on the parent Active Directory (AD) server.

Use the following certificate files to replace the certificate on the Compute vCenter Server:

Table 1. Certificate-Related Files on the vCenter Server Instance

vCenter Server FQDN

Files for Certificate Replacement


  • sfo01w02vc01.1.key

  • sfo01w02vc01.1.cer

  • Root64.cer


  1. Log in to vCenter Server by using Secure Shell (SSH) client.
    1. Open an SSH connection to the sfo01w02vc01.sfo01.rainpole.local virtual machine.
    2. Log in by using the following credentials.



      User name




  2. To enable secure copy (scp) connections for the root user, switch from the appliance shell to the Bash shell.
    chsh -s "/bin/bash" root
  3. Copy the certificates that you generated by using the CertGenVVD utility to the vCenter Server Appliance.
    1. Run the following command to create a new temporary folder.
      mkdir -p /root/certs
    2. Copy the certificate files sfo01w02vc01.1.cer, sfo01w02vc01.key, and Root64.cer to the /root/certs folder.

      You can use an scp software such as WinSCP.

  4. Replace the CA-signed certificate on the vCenter Server instance.
    1. Run the vSphere Certificate Manager utility on the vCenter Server instance.
    2. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the default vCenter Single Sign-On user name administrator@vsphere.local and vsphere_admin_password.
    3. When prompted for the Infrastructure Server IP, enter the VIP address of the Platform Services Controller pair in Region A.



      Infrastructure server IP

    4. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine SSL certificate).
    5. When prompted, provide the full path to the custom certificate, the root certificate file, and the key file that you copied over earlier, and confirm the import with Yes (Y).



      Custom certificate for Machine SSL


      Custom key for Machine SSL


      Signing certificate of the Machine SSL certificate


  5. After the status is 100% Completed, wait several minutes until all vCenter Server services are restarted.
  6. Restart the vami-lighttp service to update the certificate on the virtual appliance management interface (VAMI) and to remove the certificate files.
    service vami-lighttp restart 
    cd /root/certs/ 
    rm sfo01w02vc01.1.cer sfo01w02vc01.key Root64.cer