The machine SSL certificate is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. Each machine must have a machine SSL certificate for secure communication with other services. You can replace the certificate on each node with a custom certificate.
Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.
To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).
To generate the CSR explicitly, request a certificate for each machine from your third-party or enterprise CA. The certificate must meet the following requirements:
Key size: 2048 bits or more (PEM encoded)
x509 version 3
SubjectAltName must contain DNS Name=<machine_FQDN>.
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any custom certificates.
See also VMware Knowledge Base article 2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority.
- Start vSphere Certificate Manager and select option 1.
- Select option 2 to start certificate replacement and respond to the prompts.
vSphere Certificate Manager prompts you for the following information:
Password for email@example.com.
Valid Machine SSL custom certificate (.crt file).
Valid Machine SSL custom key (.key file).
Valid signing certificate for the custom machine SSL certificate (.crt file).
If you are running the command on a management node in a multi-node deployment, IP address of the Platform Services Controller.
What to do next
If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode Environments.