You can use vSphere Certificate Manager to generate Certificate Signing Requests (CSRs) that you can then use with your enterprise CA or send to an external certificate authority. You can use the certificates with the different supported certificate replacement processes.

You can run the Certificate Manager tool from the command line as follows:
Windows
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
Linux
/usr/lib/vmware-vmca/bin/certificate-manager

Prerequisites

vSphere Certificate Manager prompts you for information. The prompts depend on your environment and on the type of certificate you want to replace.

  • For any CSR generation, you are prompted for the password of the [email protected] user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
  • If you are generating a CSR in an environment with an external Platform Services Controller, you are prompted for the host name or IP address of the Platform Services Controller.
  • To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which are stored in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.

Procedure

  1. On each machine in your environment, start vSphere Certificate Manager and select option 1.
  2. Supply the password and the Platform Services Controller IP address or host name if prompted.
  3. Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager.
    As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory.
  4. If you also want to replace all solution user certificates, restart Certificate Manager.
  5. Select option 5.
  6. Supply the password and the Platform Services Controller IP address or host name if prompted.
  7. Select option 1 to generate the CSRs, answer the prompts and exit Certificate Manager.
    As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory.

    On each Platform Services Controller node, Certificate Manager generates one certificate and key pair. On each vCenter Server node, Certificate Manager generates four certificate and key pairs.

What to do next

Perform certificate replacement.