After you receive the custom certificates, you can replace each machine certificate.

Each machine must have a machine SSL certificate for secure communication with other services. In a multi-node deployment, you must run the Machine SSL certificate generation commands on each node. Use the --server parameter to point to the Platform Services Controller from a vCenter Server with external Platform Services Controller.

You must have the following information before you can start replacing the certificates:
  • Password for [email protected].
  • Valid Machine SSL custom certificate (.crt file).
  • Valid Machine SSL custom key (.key file).
  • Valid custom certificate for Root (.crt file).
  • If you are running the command on a vCenter Server with external Platform Services Controller in a multi-node deployment, IP address of the Platform Services Controller.

Prerequisites

You must have received a certificate for each machine from your third-party or enterprise CA.

  • Key size: 2048 bits or more (PEM encoded)
  • CRT format
  • x509 version 3
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • Contains the following Key Usages: Digital Signature, Key Encipherment

Procedure

  1. Stop all services and start the services that handle certificate creation, propagation, and storage.
    The service names differ on Windows and the vCenter Server Appliance.
    Note: If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
    Windows 
    service-control --stop --all
service-control --start VMWareAfdService
service-control --start VMWareDirectoryService
service-control --start VMWareCertificateService
    vCenter Server Appliance 
    service-control --stop --all
service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad
  2. Log in to each node and add the new machine certificates that you received from the CA to VECS.
    All machines need the new certificate in the local certificate store to communicate over SSL. 
    vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert <cert-file-path>
--key <key-file-path>
  3. Restart all services. 
    service-control --start --all

Example: Replace Machine SSL Certificates with Custom Certificates

This example shows how to replace the machine SSL certificate with a custom certificate on a Windows installation. You can replace the machine SSL certificate on each node the same way.
  1. First, delete the existing certificate in VECS. 
    "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
  2. Next, add the replacement certificate. 
    "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert E:\custom-certs\ms-ca\signed-ssl\custom-w1-vim-cat-dhcp-094.eng.vmware.com.crt --key E:\custom-certs\ms-ca\signed-ssl\custom-x3-vim-cat-dhcp-1128.vmware.com.priv