How to Update the Vcenter SSL Certificate

  1. Prerequisite to get SSL Certificate.
  2. CSR file is required to be shared with the AD team to generate the Certificate and the Certificate should be in CER or PEM or CRT format.
  3. Private Key is also required to configure the SSL Certificate.
  4. The process to get the CSR file and Private Key from VCenter.
  5. Log in to VCenter via Putty session.

For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.


  1. Run the vSphere Certificate Manager. 
OS Command
Windows cd “C:\Program Files\VMware\vCenter Server\vmcad” 

2.  Select Option 2.          

Initially, you use this option to generate the CSR, not to replace certificates. 

  • Supply the password and the Platform Services Controller IP address or hostname if prompted. 
  • Select Option 1 to generate the CSR and answer the prompts. 

As part of the process, you have to provide a directory. Certificate Manager places the certificate to be signed ( *.csr file) and the corresponding key file ( *.key file) in the directory. 

  1. Name the certificate signing request (CSR) root_signing_cert.csr. 
  2. Send the CSR to your enterprise or external CA for signing and name the resulting signed certificate root_signing_cert.cer. 

After down the private key and CSR file and share the CSR file with AD team to generate SSL certificate against the CSR file shared by you. 

  1. After Getting SSL certificate from AD team please copy in any machine from where you can upload the Certificate in Vcenter . 

Extract the Certificate, you will get 2 file. 

  1. Double click on the certificate having PSK file. 
  2. You will get below screen, please expend the folder and your will get one Certificate folder 
  3. Export the Certificate one by one available in Certificate folder 
  4. Choose  Base 64 encoded  show in below screen shot and click on next 
  5. Choose the path where you want to save the file. 
  6. After exporting all the certificate please create on notepad file . 

Open the exported Certificate (with Server name) in notepad  

Copy the content inside the certificate and paste in newly created notepad file. 

  1. Similarly open subCA certificate in notepad and copy the content and paste in newly created Notepad just below the content already copied. 

Similarly open the root Certificate in Notepad file and copy the content and paste just below content in notepad file. 

 You can verify all the content of 3 certificates is copied successfully in notepad file in sequence  

  1. Server name certificate 
  2. SubCA Certificate 
  3. Root Certificate. 
  4. Save the notepad file with name full change certificate started with server name. 

Rename the Full change file with extension cer. 

After saving the with CER format. Open the certificate and verify content of certificate is correct or not  

  1. Similarly create root64 Certificate with same process which we follow to create Full change Certificate. 

Sequence to create root 64 certificate. 

First copy the content of sub CA certificate and then content of root certificate in notepad file. 

  1. SubCA Certificate 
  2. Root Certificate. 

     Rename the notepad file with name root64 and extension cer format. 

  1. Copy the certificate in Vcenter for configuration 

Use WinSCP to copy the file in vCenter 

Now Certificate related prerequisite is completed to configure certificate. 

  1. Before implementing the Certificate in VCenter, Following Steps are required. 
  2.  Raise standard CR to Certificate implementation. 
  3. Take snapshot of the VCenter and Connection server and composer server. 
  4.  Disable Provisioning from View server console. 
  5.  Now we can start Certificate Configuration 

Login in Vcenter via Putty console. 

  1. Once Certificate  configuration completed . Please login in Vcenter via  Console. 

 And check the certificate and validate. 

Now login view console and enable provisioning and try to edit desktop pool already created and create new VDI machine or delete existing VDI machine. 

If everything working file then we can conclude the Certificate is configured properly.