The machine SSL certificate is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. Each machine must have a machine SSL certificate for secure communication with other services. You can replace the certificate on each node with a custom certificate.

Before you begin

Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.

  1. To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).

  2. To generate the CSR explicitly, request a certificate for each machine from your third-party or enterprise CA. The certificate must meet the following requirements:

    • Key size: 2048 bits or more (PEM encoded)

    • CRT format

    • x509 version 3

    • SubjectAltName must contain DNS Name=<machine_FQDN>

    • Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

See also VMware Knowledge Base article 2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.

Procedure

  1. Start vSphere Certificate Manager and select option 1.
  2. Select option 2 to start certificate replacement and respond to the prompts.

    vSphere Certificate Manager prompts you for the following information:

    • Password for administrator@vsphere.local.

    • Valid Machine SSL custom certificate (.crt file).

    • Valid Machine SSL custom key (.key file).

    • Valid signing certificate for the custom machine SSL certificate (.crt file).

    • If you are running the command on a management node in a multi-node deployment, IP address of the Platform Services Controller.

What to do next

Depending on your environment, you might have to replace additional certificates explicitly.