The machine SSL certificate is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. Each machine must have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is ready.

Prerequisites

The certificate must meet the following requirements:

  • Key size: 2048 bits or more (PEM encoded)
  • CRT format
  • x509 version 3
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • Contains the following Key Usages: Digital Signature, Non-Repudiation, Key Encipherment
Note: Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any custom certificates.

Generating a CSR for the machine SSL certificate is supported only on the vCenter Server Appliance. It is not supported on a Windows installation of vCenter Server.

Procedure

  1. Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. Enter the credentials of your vCenter Server.
  5. Generate the CSR.
    1. Under Machine SSL Certificate, for the certificate you want to replace, click Actions > Generate Certificate Signing Request (CSR).
    2. Enter your certificate information and click Next.
    3. Copy or download the CSR.
    4. Click Finish.
    5. Provide the CSR to your Certificate Authority.

What to do next

When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store. See Add Custom Certificates from the Platform Services Controller.