Replacing vSphere 6 SSL Certificates

In our last post Certificate Management in vSphere 6 we had  a look on architecture of VMCA and what it do.

In this post I will walk through the steps needed to replace vSphere 6 SSL certificates.

In this post we will be covering following items:

  • Creating certificate templates for vSphere 6
  • Replacing Machine SSL certificates.
  • Replace VMCA Root certificate

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

Lets the fun begin.

Create certificate templates

As per VMware KB Article 2112009 we need to create 2 certificate templates:

  • Machine SSL and Solution User certificates
  • Certificate template for VMCA as a Subordinate CA

To create the certificate templates, RDP to your Enterprise CA server  and click Start > Run, type certtmpl.msc, and click OK.

Right click on Certificate Templates directory and select Manage.


From the list of the templates, right-click Web Server and click Duplicate Template.


Under compatibility tab, select CA as Server 2008 and appropriate version of os family for certificate recipients


Important Note: If you select Server 2012 as CA in above window, then the version of certificate template created will be v4 and it will not be visible while requesting a certificate.

On general tab, provide a name for the template and adjust validity period setting as per your need.


Click the Subject Name tab. Ensure that the Supply in the request option is selected.


Click the Extensions tab. Select Application Policies and click Edit.


Select Server Authentication and click Remove.


Note: If Client Authentication exists, remove this from Application Policies as well.

Now select Key Usage and click Edit. Select the Signature is proof of origin (nonrepudiation) option.

Leave all other options as default.


At last click on security tab and make sure your user has rights to Enroll for certificates.

Hit OK to finish the template creation wizard.


Now we will create certificate template for VMCA as subordinate.

To do so, select “Subordinate Certification Authority” template and click on Duplicate Template.


Select Server 2008 as CA and appropriate os family as cert recipient.


Click the General tab. In the Template display name field, enter name for the new template. Make sure that “Publish certificate in Active Directory” is selected.


Click the Extensions tab. Select Key Usage and click Edit.


Ensure that Digital Signature, Certificate signing and CRL signing are enabled.


Under security tab, make sure user has permission to enroll for certificate.


Hit OK to save the template.

Add newly created templates to Certificate Templates list

Right-click Certificate Templates and click New > Certificate Template to Issue.


Select the newly created template and it OK. The newly created template will be then enabled.


Creating Certificate Signing Request

Connect to your vCenter Server via RDP and perform following steps:

1: Browse to C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg and edit as follows according to your environment


2: Run the command C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat to launch Certificate Manager menu.


3: Select Option 1 (Replace Machine SSL certificate with Custom Certificate)

Provide the administrator@vsphere.local password when prompted.

Select option 1 “Generate Certificate Signing Request(s) and Key(s) for machine SSL certificate”

Enter path to the directory in which you want to save the certificate signing request and the private key


4: Once the command completes, you will see 2 files in the directory name provided above.

Transfer these files onto your CA server


5: Open machine_ssl.csr file in a notepad and copy the contents of the file including


6: Log in to the Microsoft CA certificate authority Web interface. By default, it is http://CA_server_FQDN/CertSrv/

Click the Request a certificate link.

Click advanced certificate request.


7: Paste the content of file (including –BEGIN CERTIFICATE REQUEST– to –END CERTIFICATE REQUEST– lines) copied in step 5 in Base-64-encoded box.

From the Certificate Template dropdown, select the template which you created earlier and hit submit.


8: Select Base 64 encoded on the Certificate issued screen and click the Download Certificate link.

Also download the certificate chain from the same screen.


9: Copy the downloaded files to the directory where your csr and key files (generated in step 4) are stored. Rename the downloaded file in step 8 to machine.cer and chain file to cachain.p7b


10: Right click on cachain.p7b file and select open

In the newly opened window, select Certificates folder and from right hand side pane select CA Server cert > All Tasks > Export


Hit next to continue certificate export wizard


Select Base-64 encoded x.509 and hit next.


Browse to the directory where certificate will be exported. Name the exported file as root64.cer


Now copy the machine.cer, machine_ssl.key and root64.cer file on your vCenter Server.

Launch Certificate Manager again and choose option 1.

Now select option 2 i.e  Import Custom Certificate option and

  • Provide the path to the new certificate
  • Provide the path to the key
  • Provide the path to your Root certificate

Press “Y” when asked for confirmation for replacing the SSL certs


Now Login to vCenter Web Client and you will see your URL appears as green


If you see the certificate info by clicking on the green lock icon you will see this cert has been issued by your CA server


Replace VMCA Root certificate

Step 1. Edit the certool.cfg file – template file for CSR

The file is located at: C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg

Modify this file as per your environment. My certool.cfg file looks like below

# Template file for a CSR request

# Country is needed and has to be 2 characters
Country = IN
Name = Alex Co.
Organization = Cloud
OrgUnit = Alex CLoud
State = Karnataka
Locality = Bangalore
IPAddress =
Email =
Hostname = vcentersrv01.alex.local

Step 2. Generate CSR files

Select Option 2 to “Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates”

Enter your SSO Password

Select Option 1 to “Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate”

Provide the path to store your CSR and Key


Once the script completes you will see the csr and key file created in the directory provided by you


Transfer these files over to your CA server.

Step 3. Sign your CSR

Loin to your CA server and click on Request a certificate > Advanced Certificate Request

When you sign this certificate make sure you select the template which you duplicated from “Subordinate Certificate Authority”


Select Base 64 encoded and “Download certificate ”


Rename the downloaded file to vmca.cer

Also download CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”


Click on Download CA certificate and save the downloaded file as rootca.cer


Now open vmca.cer and rootca.cer in notepad. Create a new text file and first copy the contents of vmca.cer into the new file and then paste the content of rootca.cer file. Save the file as chain.cer

Copy chain.cer file and root_signing_cert.key to your vCenter Server.

Step 4: Import Custom certificate(s) and key(s) for VMCA Root Signing certificate

Launch certificate-manager tool and select option 2 to “Import Custom certificate(s) and key(s) for VMCA Root Signing certificate”

Provide the chain.cer
Provide the root_signing_cert.key
Select ‘Y’


Verify the configuration of certool.cfg file and then wait for completion of cert replacement process


I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)


9 thoughts on “Replacing vSphere 6 SSL Certificates

  1. Good write up
    You should put a warning that the certificates need to be generated 24hrs before they are imported
    This appears to be for both Machine and subca (Just broke my PSC, that god for snapshots)

    1. Excellent point Troy. I read on several blogs about 24 hours thing. Luckily in my lab I did not faced that issue, but yeah I should have included that warning.

      Thanks for the heads up. I will update the blog post soon.

  2. Pingback: Replacing Esxi 6 SSL Certificates | Virtual Reality
  3. Pingback: Replacing vSphere 6 Solution user certificates with CA signed certificates | Virtual Reality
  4. Pingback: Learning NSX-Part-11-Replacing NSX default SSL Certficates with CA Signed Certificates | Virtual Reality
  5. Pingback: Replacing Esxi 6 SSL Certificates – Virtual Reality
  6. Pingback: Replacing vSphere 6 Solution user certificates with CA signed certificates – Virtual Reality
  7. Pingback: Replacing vSphere 6.0 certificates using VMCA as a Subordinate CA – Virtual Reality
  8. Pingback: Replacing vSphere 6.x Machine SSL using VMCA as a Subordinate CA –