The vCenter Certificate Automation Tool automates certificate renewal for core vCenter components on Windows operating systems.

The tool supports several deployment options. How the tool interacts with the user depends on the deployment option. See Certificate Replacement Overview

All Services on One Machine

You can edits the ssl-environment.bat file and enter environment-specific information, and run the tool on the machine without being prompted. As an alternative, you can run the tool and provide input when prompted.

Each Service on a Separate Machine

If each service runs on a separate machine or virtual machine in your environment, follow the steps below to update certificates. If some of these services run on the same machine, follow the information in the Update Planner list that is generated by the Certificate Automation Tool. If you are not including some of the services in your environment, you can skip the corresponding steps.

  1. Install and run the tool on one machine. The tool generates the update planner list.

  2. Install and run the tool on the machine on which vCenter Single Sign-on is running to update the vCenter Single Sign-On SSL certificate.

  3. Install and run the tool on the Inventory Service machine. The tool performs these tasks:

    1. Updates the trust from vCenter Inventory Service to vCenter Single Sign-On.

    2. Updates the vCenter Inventory Service SSL certificate.

  4. Install and run the tool on the machine on which vCenter Server is running. The tool performs these tasks:

    1. Updates the trust from the vCenter Server service to the vCenter Single Sign-On service.

    2. Updates the vCenter Server SSL certificate.

    3. Updates the trust from the vCenter Server to the vCenter Inventory Service.

    4. Updates the trust from the vCenter Server to the vSphere Update Manager.

  5. Install and run the tool on the vCenter Orchestrator machine. The tool performs these tasks:

    1. Updates the trust from the vCenter Orchestrator service to the vCenter Single Sign-On service.

    2. Updates the trust from the vCenter Orchestrator service to the vCenter Server service.

    3. Updates the vCenter Orchestrator SSL certificate.

  6. Install and run the tool on the vSphere Web Client machine. The tool performs these tasks:

    1. Updates the trust from the vSphere Web Client to the vCenter Single Sign-On service.

    2. Updates the trust from the vSphere Web Client to the vCenter Inventory Service and restarts the service.

    3. Updates the trust from the vSphere Web Client to the vCenter Server service and restarts the service.

    4. Updates the trust from the vSphere Web Client to the vCenter Orchestrator service and restarts the service.

    5. Updates the vSphere Web Client SSL certificate.

    You have to restart the vSphere Web Client to complete the updates of the trust relationships.

  7. Install and run the tool on the Log Browser machine. The vSphere Web Client and the vCenter Log Browser always run on the same machine. The tool performs these tasks.

    1. Updates the trust from the Log Browser service to the vCenter Single Sign-On service.

    2. Updates the Log Browser SSL certificate.

  8. Install and run the tool on the vSphere Update Manager machine.

    The tool updates the vSphere Update Manager SSL certificate. As part of the certificate update, the vCenter Server trust to vSphere Update manger is updated.

Mixed Mode Deployment

In a mixed mode deployment, for example, when two services are on one machine and three services are on a second machine, you can run the tool as if each service were on a different machine.