Replace VCSA 6.7 Certificate (VMCA) by an ADCS Signed Certificate

In this post I will be sharing the information on replacing self-signed certificate by a Certificate Authority (CA) signed SSL certificates in a vSphere 6.7 environment. VMware has pre-packaged the vSphere Certificate Manager utility to automate the replacement process.

The vSphere Certificate Manager utility provides all workflows to replace or regenerate the Machine SSL Certificate, Solution User Certificates and the VMCA Root Signing Certificate on the vCenter Server and Platform Services Controller.

Before starting the procedure just a quick intro for managing vSphere Certificates, vSphere Certificates can manage in two different modes

  • VMCA Default Certificates

VMCA provides all the certificates for vCenter Server and ESXi hosts on the Virtual Infrastructure and it can manage the certificate lifecycle for vCenter Server and ESXi hosts. Using VMCA default the certificates is the simplest method and less overhead.

  • VMCA Default Certificates with External SSL Certificates (Hybrid Mode)

This method will replace the Platform Services Controller and vCenter Server Appliance SSL certificates, and allow VMCA to manage certificates for solution users and ESXi hosts. Also for high-security conscious deployments, you can replace the ESXi host SSL certificates as well. This method is Simple, VMCA manages the internal certificates and by using the method, you get the benefit of using your corporate-approved SSL certificates and these certificates trusted by your browsers.

Here we are discussing about the Hybrid mode, this the VMware’s recommended deployment model for certificates as it procures a good level of security. In this model only the Machine SSL certificate signed by the CA and replaced on the vCenter server and the solution user and ESXi host certificates are distributed by the VMCA.


  • Working PKI based on Active directory Certificate Server.
  • Certificate Server should have a valid Template for vSphere environment

Note :- If you don’t have a template Refer this Post for creating a new Template

  • vCenter Server Appliance with root Access

Generate a certificate request from VCSA 6.7

Login to vCSA by using SSH or Console and launch the bash by typing Shell.

Run /usr/lib/vmware-vmca/bin/certificate-manager and select the operation option 1

Enter administrator credentials and enter option number 1.

Specify the following options:

  • Output directory path :-             path where will be generated the private key and the request
  • Country                          :-             your country in two letters
  • Name                              :-             The FQDN of your vCSA
  • Organization                 :-             an organization name
  • OrgUnit                          :-             type the name of your unit
  • State                                :-             country name
  • Locality                           :-             your city
  • IPAddess                        :-             provide the vCSA IP address
  • Email                              :-             provide your E-mail address
  • Hostname                      :-             the FQDN of your vCSA
  • VMCA Name                 :-             the FQDN where is located your VMCA. Usually the vCSA FQDN

Once the private key and the request is generated select Option 2 to exit

Next we have to export the Request and key from the location , we will user win scp for this  operation .

To perform export we need additional permission on VCSA , type the following command for same

#chsh -s /bin/bash root

Once connected to vCSA from winscp tool navigate the path you have mentioned on the request and download the  vmca_issued_csr.csr  file .

Open the Certificate Server URL using  this format  http://FQDN or IP /CertSrv/ from browser and select Request a certificate  option

Select Advanced certificate request 

Open the exported vmca_issued_csr.csr file in a notepad and copy the contents and paste ob the Column Based-64-encoded certificate Request , Select the appropriate Certificate template , here I choose vSphere 6.7 and Click  on Submit

From Next Page Select the Base 64 encoded option and Download the Certificate and Certificate Chain

Note :- You have to export the Chain certificate to .cer extension , by default it will be PKCS#7

Open Chain file by right click or double click navigate the certificate -> right click -> All Tasks  -> export and save it as filename.cer

Navigate  to Certificate Authority  Option and verify the status of request from Issued Certificate 

Next you have export the newly downloaded certificates to vCenter Appliance

Login to vCenter appliance using winscp and copy to location .

Note:- Remember path where you copied the new certificates , it is required for replacing menu .

Login to vCenter Server Appliance Console or using putty

Run /usr/lib/vmware-vmca/bin/certificate-manager and select the operation option 1

Enter administrator credentials and enter option number 2

Add the exported certificate and generated key path from previous steps and Press Y to confirm the change

  • Custom certificate for machine SSL                             :-   Path to the chain of certificate (srv.cer here)
  • Valid custom key for machine SSL                                :-   Path to the .key file generated earlier.
  • Signing certificate of the machine SSL certificate :-  Path to the certificate of the Root CA (root.cer , generated base64 encoded certificate).

Note:-  If you are providing different certificate instead of chain certificate  in Custom certificate for machine SSL option you will get error  with "depth lookup:certificate"

It will take little time to complete and you can see message

Status : 100 % Completed [All tasks completed successfully]

Now Connect to the vCenter using Web Client and you can see the new custom certificate

Referees VMware KB