The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is ready.


The certificate must meet the following requirements:

  • Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
  • CRT format
  • x509 version 3
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • Contains the following Key Usages: Digital Signature, Key Encipherment


  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. Enter the credentials of your vCenter Server.
  5. Generate the CSR.
    1. For the certificate that you want to replace, under Machine SSL Certificate, click Actions > Generate Certificate Signing Request (CSR).
    2. Enter your certificate information and click Next.
      Note: When you use vCenter Server to generate a CSR with a key size of 16384 bits, the generation takes a few minutes to complete because of the CPU-intensive nature of the operation.
    3. Copy or download the CSR.
    4. Click Finish.
    5. Provide the CSR to your Certificate Authority.

What to do next

When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store. See Add Custom Certificates.