Change the Machine SSL Certificate of
vCenter Server

You can change the machine SSL certificate of a
vCenter Server
system by using the TLS and the TLS CSR interfaces of the
vSphere Automation
API.
  • Verify that you are connected to a
    vSphere Automation
    API server.
  • Verify that the root certificate of the CA you are going to use is available on your machine.
  • Verify that you have the required privileges:
    CertificateManagement
    Administer
    and
    CertificateManagement
    Manage
    .
The machine SSL certificate is used for server verification and for secure communication such as HTTPS or LDAPS. The machine certificates are the human-facing certificates in vSphere. They are used to create an SSL socket on the server side to which SSL clients can then connect.
Changing the machine SSL certificate with one issued by an official or enterprise certificate authority is an essential part of the Hybrid Mode of vSphere certificate management. In this mode, you replace the machine SSL certificate and you leave the VMCA to manage all other certificates automatically. The VMCA is a just-enough internal certificate authority that comes integral with your vSphere deployment. It has been purpose-built to serve the certificate needs of your vSphere environment. For more information on vSphere certificate management, see the
vSphere Authentication
guide.
  1. Retrieve the current Machine SSL certificate of your
    vCenter Server
    system.
    GET
    https://
    <vcenter_ip_address_or_fqdn>
    /api/vcenter/certificate-management/vcenter/tls
  2. Generate a certificate signing request (CSR) by using the
    TLS CSR
    functionality.
    1. Populate the
      CertificateManagementVcenterTlsCsrSpec
      data structure.
      Parameter
      Type
      Description
      country
      String
      Specifies the country in the certificate subject.
      state_or_province
      String
      Specifies the state or province in the certificate subject.
      locality
      String
      Specifies the locality in the certificate subject.
      organization
      String
      Specifies the organization in the certificate subject.
      organization_unit
      String
      Specifies the organization unit in the certificate subject.
      email_address
      String
      Specifies the email address in the certificate subject.
    2. Make the request.
      POST
      https://
      <vcenter_ip_address_or_fqdn>
      /api/vcenter/certificate-management/vcenter/tls-csr
    The system returns the CSR in PEM format.
  3. Save the CSR to your machine.
  4. Send the CSR to the certificate authority of your choice.
    The private key corresponding to the public key generated by the CSR is stored in the
    vCenter Server
    keystore and does not exit your system.
  5. Save the issued Machine SSL certificate to your machine.
  6. Set the new custom certificate to your
    vCenter Server
    system by using the
    TLS
    functionality.
    1. Populate the
      CertificateManagementVcenterTlsSpec
      data structure.
      Parameter
      Type
      Description
      cert
      String
      The Machine SSL certificate in PEM format. You must also paste the intermediate CA certificate, if you have one. The certificates must be JSON string escaped for newline (\n).
      root_cert
      String
      The third-party root CA certificate in PEM format. You must also paste the intermediate CA certificate, if you have one. The certificates must be JSON string escaped for newline (\n).
      You must not provide the private key as it was generated with the CSR and is already saved to your system.
    2. Make the request.
    PUT
    https://
    <vcenter_ip_address_or_fqdn>
    /api/vcenter/certificate-management/vcenter/tls
    The system returns a 204 error, which means that the request was processed successfully but no content is returned.
    Restart of
    vCenter Server
    services after the certificate change is not necessary. The certificate replacement is completed seamlessly and all your sessions remain active.