The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is ready.
The certificate must meet the following requirements:
- Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
- CRT format
- x509 version 3
- SubjectAltName must contain DNS Name=<machine_FQDN>.
- Contains the following Key Usages: Digital Signature, Non-Repudiation, Key Encipherment
- Log in with the vSphere Client to the vCenter Server.
- Specify the user name and password for email@example.com or another member of the vCenter Single Sign-On Administrators group.
If you specified a different domain during installation, log in as administrator@ mydomain.
- Navigate to the Certificate Management UI.
- From the Home menu, select Administration.
- Under Certificates, click Certificate Management.
- Enter the credentials of your vCenter Server.
- Generate the CSR.
- Under Machine SSL Certificate, for the certificate you want to replace, click .
- Enter your certificate information and click Next.
Note: When you use vCenter Server to generate a CSR with a key size of 16384 bits, the generation takes a few minutes to complete because of the CPU-intensive nature of the operation.
- Copy or download the CSR.
- Click Finish.
- Provide the CSR to your Certificate Authority.
What to do next
When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store. See Add Custom Certificates.