Replace SSL certificates on VMware PSC v6.5

Today I will walk through replacing the SSL certificates on a vSphere 6.5 PSC appliance. This includes replacing the Machine Certificates, User Solution Certificates and the Trusted Root Certificates. This is the same process you will be familiar with from vSphere 6.0 U2 onwards certificate replacement. All certificates will be issued from Microsoft Certificate Authority. The advantage of doing this is that any subsequent component such as vCenter Server Appliance and ESXi hosts will be automatically issued a certificate from the PSC as it will be acting as a subordinate certificate authority.

Before we begin, lets take a look at the default certificates that are installed with the PSC. You can login by opening the webpage https://psc_ip_or_hostname/psc. Use the SSO credentials for your vSphere.local domain to login. Note the time stamps as these will change once the certificates are replaced.

Machine Certificates:


Solution User Certificates:


Trusted Root Certificates:

Cert Replace 3

There is the option to click on More Options for each of these certificates to see their issuing path.

Let’s continue with the certificate replacement.

Step 1- Generating Certificate Signing Request (CSR)

Use a tool such as PUTTY to connect to the PSC over SSH and log in as root


Type Shell to grant shell access to root

Cert replace 5

now change shell to bash with command chsh -s /bin/bash root and then change directory to /usr/lib/vmware-vmca/bin


Next, run the command ./certificate-manager to bring up the screen as below

We are gong to replace the root certificate with custom signing certificate and replace all certificates. Select option 2 for this. Note this also encompasses option 3 to replace Machine SSL certificate. Note in the screenshot below I have also agreed to the option, entered my SSO credentials and started the process for configuring the MACHINE_SSL_CERT.cfg which will be used to generate the CSR later on. More info here in this VMware KB LINK


Fill in template as appropriate to your organisation


Remember at the beginning of this article we took at look at the 4 default certificates? There are config files for each. Here are the next 3.


Follow these steps as below



At this point, some files will have been created in the /tmp/ path specified above. Leave the putty session open but do not continue. We will come back to this later.

Step 2 – Generating the certificates

For the next step you will need a tool such as WinSCP to log onto the PSC and grab the files that have just been generated and placed in the /tmp/ directory

Log into the PSC


change to the /tmp/ directory and grab the vmca_issued_csr.csr and vmca_issued_key.key files. Copy them to a local destination of your choice.


Now open the vmca_issued_csr.csr file in your favourite text editor and copy the contents. This will be used to generate the new certificate from the Microsoft certificate Authority.



Note, the following steps assume you already have a Microsoft Certificate Authority infrastructure in place and appropriate certificate templates.

Log into certificate authority and click Request a Certificate


Select advanced certificate request


Paste in the CSR you copied earlier and select an appropriate certificate template and click submit.


Choose Base 64 encoded certificate and click download certificate


Save the file with the other two files you grabbed from the PSC earlier. I called it root_signing_certificate


Next, we need to grab the certificate chain from the CA to include the root certificate and any intermediate certificates you may have. Head back to the main page on the certificate server and click Download a CA Certificate as shown below


Download the CA certificate, Base 64 encoded


Save the file as something like domain_root_ca


Open the domain_root_ca certificate you just saved with your favorite text editor and copy the contents.


Then paste the contents into the root_signing_certificate we generated earlier. This will add the full certificate chain to the certificate for when we import the certificate to the PSC.


Save the file.

Step 3 – Import the certificates into the PSC

We need to now get the newly created certificate back onto the PSC. Fire up WinSCP again and copy the root_signing_certificate file back to the /tmp/ location on the PSC.


If you recall, we left the SSH session open on the PSC. We can now continue with the steps on the PSC. Choose option 1 to continue importing custom certificates


Choose yes to replace root certificate

This will then run through and update the certificate for the services

And that’s the certificates replaced

Step 4 – Verify certificate replacement

Once the above is complete, log back into the PSC Web UI and browse to certificate management. Check the time stamp on the Machine Certificates and the Solution User Certificates. They will have changed as the certificates have been replaced.

Cert 33cert_replace_34

There will also be a new root certificate in the list. You can check the certificate chain and issuer by clicking on Show Details.


And you’re done!


You may also like...

5 Responses

  1. deryck909 says:

    How did you make your vSphere 6 VCSA template for Windows CA?

  1. 28th September 2018

    […] I used the great guide from Ian Sanderson for updating the certs as a base […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.