Replacing vSphere 6 Solution user certificates with CA signed certificates

By | 24/06/2016

In our last post Replacing Esxi 6 SSL Certificates we learned how to replace Esxi host default certificates with CA signed certificates. In this post we will learn how to replace vSphere 6 solution user certificates with customer certificates signed by CA.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

6: Replacing Esxi 6 SSL Certificates

Solution Users use SSL Certificates for internal communication and endpoint registration in vSphere 6. For vCenter with embedded PSC, there are four Solution User Certificates:

  • machine
  • vpxd
  • vpxd-extension
  • vsphere-webclient

We will be replacing certificates for all the solution user in this post.

Follow below steps to replace the solution user certificates:

1: Creating Certificate Signing Request

Launch the certificate manager utility

Press 5 to select “Replace solution user certificates with custom certificates”

Provide password of SSO account

Select option 1 “Generate Certificate signing Request(s) and key(s) for solution user certificates”


Provide path to directory where you want to store the .csr files


You will see following files created in the provided directory


4: Get the signed certs from your CA server

Copy machine.csr, vpxd.csr,vpxd-extension.csr and vpshere-webclient.csr files to your CA server and repeat following steps foe each csr file

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Select  vSphere6 when selecting the Certificate Template and hit Submit to submit the request. For certificates templates please follow VMware KB-2112009
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.

Save the files as machine.cer, vpxd.cer,vpxd-extension.cer and vpshere-webclient.cer respectively.

At last download the CA server root certificate. From CA server home page click on “Download a CA certificate,certificate chain or CRL”.

Click on Download CA certificate and save the downloaded file as Root64.cer.

Copy all the 5 files back to your vCenter Server.

5: Replace the certificates

Launch certificate manager again and select option 5 and then Option 2 (Import Custom certificate(s) and key(s) for Solution User Certificates).


Provide path to the generated .cer files and respective key files to complete the certificate replacement process


Thats it. We have now successfully replaced the defaults certs for solution users with CA signed certificate.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)