After you receive the custom certificates, you can replace each machine certificate.

You must have the following information before you can start replacing the certificates:
  • Password for administrator@vsphere.local
  • Valid Machine SSL custom certificate (.crt file)
  • Valid Machine SSL custom key (.key file)
  • Valid custom certificate for Root (.crt file)


You must have received a certificate for each machine from your third-party or enterprise CA.

  • Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
  • CRT format
  • x509 version 3
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • Contains the following Key Usages: Digital Signature, Key Encipherment

Perform the steps on each vCenter Server host.


  1. Back up the current machine SSL certificate.
    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > oldmachine.crt
    /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > oldmachinekey.key
  2. Log in to each host and add the new machine certificates that you received from the certificate authority to VECS.
    All hosts need the new certificate in the local certificate store to communicate over SSL.
    1. Delete the existing certificate.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
    2. Add the new certificate.
      /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert <cert-file-path> --key <key-file-path>
  3. Extract the hash of the old certificate to be replaced.
    openssl x509 -in <path_to_old_machinessl_certificate> -noout -sha1 -fingerprint

    Output similar to the following appears:

    SHA1 Fingerprint=13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88
  4. Update the lookup service registration endpoint manually.
    /usr/lib/vmware-lookupsvc/tools/ --url https://<vCenterServer_FQDN>/lookupservice/sdk --certfile <cert-file-path> --user 'administrator@vsphere.local' --password '<password>' --fingerprint <SHA1_hash_of_the_old_certificate_to_replace>

    If you encounter problems running, see the VMware Knowledge base article at

  5. Restart all services.
    service-control --stop --all && service-control --start --all