vCenter HA: Replace Certificates for vCenter


This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)


In this section, we are going to be configuring CSRs, requesting certificates, and replacing them on our Platform Services Controllers. You will need to make sure that you have some kind of certificate authority available in your environment. We will be going over using a Microsoft CA to issue certificates. There is a KB article about how to configure this, but it doesn’t exactly work. Use this post:  Configure Microsoft CA Templates for VMware with SHA2-256

If you don’t have SHA2 then shame on you. You should get on it. Even if you replace your certificates with SHA1, you will still receive those pesky weak key errors in Chrome and Firefox. IE hasn’t deprecated SHA1, but its coming from what I understand.

You will need to download OpenSSL for Windows (unless you are using Linux).

Here is the link for Windows:  Win32 OpenSSL

Go ahead and download either the 32bit or 64bit Light version of 1.1.0e. Once it is downloaded, go ahead and install it.

Now that you have your Certificate Authority and OpenSSL ready to go, we will begin.

Here is an example config for OpenSSL:  psca.cfg

Download the example and modify it for your FQDNs for the servers and VIP.

Save the file to your OpenSSL\bin directory.

Open a command prompt and run the following command:

openssl req -new -nodes -out vca.csr -newkey rsa:2048 -keyout psca.key -config vca.cfg

This will generate the CSR and the unencrypted key file.

Submit this CSR to your CA and download the received certificate in Base64 format.

You will also need the Root/Intermediate Certificates in Base64 as well.

Use putty to SSH into your appliance. You can download it HERE.

Enter your root username/password.

You will be a special command shell for the appliance. You will need to type in shell to get to a bash shell.

At this point, you need to copy the files to the server, but there is a problem. The special command shell is the default shell for the root user.

Type this command:  chsh -s “/bin/bash” root

Create a new directory for the files using this command:  mkdir /certs

Now you can use WinSCP or another client to upload the files.

You should have three files in the directory now:




cat /certs/vca.crt >> /certs/vcachain.crt
cat /certs/rootca64.crt >> /certs/vcachain.crt

Use the vcachain.crt instead of the vca.crt.

***Note: Microsoft CAs export as a .CER. You just need to change the file extension. CER(Windows) and CRT(Linux) can be used interchangeably.

Once the files have been uploaded, run this command:


Select Option 1.

You will be prompted for the SSO credentials.

Select Option 2.

This is what the process looks like at the command line:

After this completes, your vCenter certificates will now be replaced. You don’t have to run the additional commands that we did for the Platform Services Controllers because those were SSO endpoint specific. You can move onto licensing vCenter now.


Next Post: vCenter HA: License vCenter

Leave a Reply