You can use the vSphere Client to replace the default certificates with custom certificates.

You can use the vSphere Client to generate CSRs for each machine, and replace certificates when you receive them from your internal or third-party Certificate Authority (CA). When you submit the CSRs to your internal or third-party CA, the CA returns signed certificates and the root certificate. You can upload both the root certificate and the signed certificates from the vSphere Client.

Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom Certificates)

The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is ready.

Prerequisites

The certificate must meet the following requirements:

  • Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded). The vSphere Client and API still accept a key size up to 16384 bits when generating the Certificate Signing Request.
  • CRT format
  • x509 version 3
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • Contains the following Key Usages: Digital Signature, Key Encipherment
Note: vSphere's FIPS certificate only validates RSA key sizes of 2048 bits and 3072 bits.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. Enter the credentials of your vCenter Server.
  5. Generate the CSR.
    1. Under the Machine SSL tab, select the desired certificate and click Generate Certificate Signing Request (CSR).
    2. Enter your certificate information and click Next.
      2048 (bits) is the default value for the key size. Change this value as required.
      Note: When you use vCenter Server to generate a CSR with a large key size, the generation takes a few minutes to complete because of the CPU-intensive nature of the operation.
    3. Copy or download the CSR.
    4. Click Finish.
    5. Provide the CSR to your Certificate Authority.

What to do next

When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store. See Add Custom Certificates Using the vSphere Client.

Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client

If you want to use third-party certificates in your environment, you must add a trusted root certificate to the certificate store. You can do so using the vSphere Client.

Prerequisites

Obtain the custom root certificate from your third-party or in-house certificate authority (CA).

vSphere accepts only valid CA certificates for import. To be valid, a CA certificate must have the CA bit and the keyCertSign bit set in the basic constraint and the key usage X.509 v3 certificate extensions respectively. This implies that the certificate is a CA and its purpose is for certificate signing. See https://www.rfc-editor.org/rfc/rfc5280 for more information.

Ensure that the keyCertSign bit is set for all the certificates in the chain.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. If the system prompts you, enter the credentials of your vCenter Server.
  5. Under the Trusted Root tab, click Add Trusted Root Certificate.
  6. Click Browse and select the location of the certificate chain.
    You can use a file of type CER, PEM, or CRT.
  7. Click Add.
    The certificate is added to the store.
    Note: In vSphere 8.0 Update 2 and later, the Start Root certificate push to vCenter Hosts check box is removed. vCenter Server pushes the root certificates to all connected hosts in the inventory when a certificate is added. When a host with different root certificates from vCenter Server is connected, vCenter Server pushes the root certificates to correct this difference. In this case, vCenter Server root certificates overwrite the ones on the host, so administrators can ensure that any custom root certificates needed throughout the inventory are added to vCenter Server.

Add Custom Certificates Using the vSphere Client

You can use the vSphere Client to add custom Machine SSL certificates to the certificate store.

Usually, replacing the machine SSL certificate for each component is sufficient.

Prerequisites

Generate certificate signing requests (CSRs) for each certificate that you want to replace. See Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom Certificates). Place the certificate and private key in a location that the vCenter Server can access.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. If the system prompts you, enter the credentials of your vCenter Server.
  5. Under the Machine SSL tab, select the certificate then click Import and Replace Certificate.
  6. Click the appropriate certificate replacement option and click Next.
    Option Description
    Replace with VMCA certificate Creates a VMCA-generated CSR to replace the current certificate.
    Replace with external CA certificate where CSR is generated from vCenter Server (private key embedded) Use a certificate signed using a vCenter Server generated CSR to replace the current certificate.
    Replace with external CA certificate (requires private key) Use a certificate signed by an external CA to replace the current certificate.
  7. Enter the CSR information, or upload the appropriate certificates.
  8. Click the checkbox to acknowledge that you have backed up vCenter Server and its databases.
  9. Review the information and click Finish.
    The system replaces the certificate and displays a success message.
  10. When the certificate has been changed message appears, click Refresh to refresh your browser.

Generate a VMCA Leaf Certificate

You can generate a leaf certificate that is signed by the VMware Certificate Authority (VMCA) for use in your VMware infrastructure.

In addition to VMware Certificate Authority (VMCA) handling all certificate management, it can generate leaf certificates. Leaf certificates are signed by VMCA and are used to identify other VMware resources. VMCA-generated leaf certificates are not stored in VECS. Also, vCenter Server does not track these leaf certificates for expiration.

Prerequisites

Generate a Certificate Signing Request (CSR) on the host in your VMware infrastructure where you want to install the leaf certificate.

Procedure

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Certificate Management UI.
    1. From the Home menu, select Administration.
    2. Under Certificates, click Certificate Management.
  4. If the system prompts you, enter the credentials of your vCenter Server.
  5. Under the Trusted Root tab, select the VMCA root certificate and click Issue New Leaf Certificate.
  6. Browse for the CSR that you previously generated, specify a duration, then click Next.
  7. Click Download Certificates to save the Leaf and Root certificates.

Results

The generated Leaf and Root certificates are created and downloaded to the specified location.

What to do next

Import the Leaf and Root certificates to the target host in your VMware infrastructure.