How to renew certificates for vCenter (6.x)

If you have not upgraded yet to vSphere 7 and your vCenter certificate is about to expire or already expired, here is an runlist how to renew certificate for vCenter:

  1. SSH to vCenter with root user and root password
  2. Run tool to prepare CSR file. Tool is located: /usr/lib/vmware-vmca/bin/certificate-manager
  1. Chose option 1 and press ENTER
  2. Enter username [Administrator@vsphere.local]: PRESS ENTER (unless you are using different account)
  3. Provide a password for administrator@vsphere.local and press enter
  4. Go for option 1 to Generate CSR and Key for Machine SSL Certificate
  1. Fill out required fields:
    • Path
    • Country
    • Organization
    • OrgUnit
    • State
    • Locality
    • IP address
    • Email
    • Hostname
    • VMCA
  1. Exit the tool by typing number 2 and hit ENTER
  2. Type in ls -la to see if CSR and KEY file has been generated:
-rw-r--r-- 1 root root 1252 Oct 5 16:28 vmca_issued_csr.csr
-rw-r--r-- 1 root root 1703 Oct 5 16:28 vmca_issued_key.key
  1. Open vmca_issued_csr.csr in your favorite editor (vi, nano)
  2. Copy whole text including —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–
  3. Paste it to notepad or notepad++
  4. Save as file_name.csr
  5. Run command to generate CERTIFICATE:
certreq -submit -attrib "CertificateTemplate:name_of_template"
  1. Chose CRS file once prompted and hit ENTER
  2. Chose the CA once prompted and hit ENTER
  3. Save your cert file.
  4. Right-click on the cert to edit it.
  5. Copy entire text including —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—–
  6. Go back to SSH session.
  7. Create new file named file_name.cer
  8. Paste text to new created file
  9. Type ls -la , you should have 3 files now: vmca_issued_csr.csr vmca_issued_key.key file_name.cer
  1. Go back to the Windows folder where your certificate was saved. You need to grab the whole certification path
  2. Check How to export certificate
  3. Once you have all certs, open them with notepad or another editing tool
  4. Go back to the SSH session and create a signing certificate for example root.cer
  5. Copy all text from certs to that file in order!
  6.  Save the file.
  7. Run Cert Tool again: /usr/lib/vmware-vmca/bin/certificate-manager
  8.  Select option number 1
  9. Enter username : administrator@vsphere.local
  10. Enter password
  11. Select option number 2: Import custom certificate(s) and key(s) to replace existing Machines SSL certificate
  12. Please provide valid custom certificate for Machine SSL (certificate generated from CSR)
  13. Please provide valid custom key for Machine SSL.
  14. Please provide the signing certificate of the Machine SSL certificate (root certificate with chain)
  1. You are going to replace Machine SSL cert using custom cert SELECT “Y“


Please like and share to spread the knowledge in the community.

Let’s chat on Twitter:

Visit my FB page:

Subscribe to my YouTube channel:

Please leave the comment