The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must have a machine SSL certificate for secure communication with other services. You can replace the certificate on each node with a custom certificate.


Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly.

  1. To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).
  2. To generate the CSR explicitly, request a certificate for each machine from your third-party or enterprise CA. The certificate must meet the following requirements:
    • Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
    • CRT format
    • x509 version 3
    • SubjectAltName must contain DNS Name=<machine_FQDN>.
    • Contains the following Key Usages: Digital Signature, Key Encipherment

See also the VMware knowledge base article at, Obtaining vSphere certificates from a Microsoft Certificate Authority.


  1. Start vSphere Certificate Manager and select option 1.
  2. Select option 2 to start certificate replacement and respond to the prompts.
    vSphere Certificate Manager prompts you for the following information:
    • Password for administrator@vsphere.local
    • Valid Machine SSL custom certificate (.crt file)
    • Valid Machine SSL custom key (.key file)
    • Valid signing certificate for the custom machine SSL certificate (.crt file)
    • IP address of the vCenter Server