Today a very quick post for anybody that is using the vSphere Client to generate a new .CSR to create a new certificate for the vCenter Server. I usually use the certificate-manager tool on the commandline, but I figured, let’s diversify my daily actions and let us use the vSphere Client. This has been around for a while now. The below blog post was made while using the 6.7 U3 vSphere Client.

You can easily do this by logging into the vSphere Client -> Administration -> Certificates -> Certificate Management. Press on Actions -> Generate CSR on the __MACHINE_CERT, like below (procedure can also be found here):

vSphere Client certificate management
vSphere Client certificate management

Next you can enter the certificate fields like you usually do on the command line:

vSphere Client Certificate Manager Generate CSR
vSphere Client Certificate Manager Generate CSR

And once this is done you get a window that displays the .CSR you just created. You can copy this .CSR and use your favorite CA to create the new certificate for the vCenter Server. Once you received the certificate file with the Chain, go back to the previous window in the vSphere Client, and instead of pressing Actions -> Generate CSR, press Replace. In this window upload the certificate file, and the Private Key file.

Replace Certificate in vSphere Client
Replace Certificate in vSphere Client

Wait what? I never received the private key file. The procedure also does not mention anything about the private key file. Ok so where is this private key file located? I did a quick recursive search on the command line with locate*.key but didn’t really find anything that looked like it was my private key:

After carefully looking around and checking the below log file, I noticed the second to last line in the /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log log file.

It looks like the .CSR got created successfully and the private key is stored inside the VECS certificate store under the __MACHINE_CSR alias. Aah ok this makes sense. I just wish that VMware said this on their documentation, or just provided the user with a notification in the vSphere Client when a .CSR is generated. You can dig up the private key with the following command:

Copy this private key to a notepad file and save it as private.key. Now this file can be used while importing the validated certificate file into the vSphere Client.

vSphere Client Certificate Manager certificate replacement
vSphere Client Certificate Manager certificate replacement
vSphere Client Certificate Manager certificate replacement success

Now all we need to do is restart the following services on the command line, please be aware that this will introduce some downtime on the vCenter Server:

Once this is done the certificate will be replaced. Fortunately this has been updated in vSphere 7.0. It will now automatically use the private key that is stored in the VECS store.

This was all for today. It took me a bit of time to find this out, so I hope I can prevent you from looking around to long!

4 Comments

  1. If you sign a certificate using CSR generated in vCenter then you don’t need the private key. When importing the signed certificate choose “Replace with external CA certificate where CSR is generated from vCenter Server (private key embedded)” and then you’ll only be required to provide the signed certificate without the private key.
    See this screenshot: https://pasteboard.co/JEWKzfd.png

    Avatar Michal
      1. Try the second option, “Replace with certificate generated from vCenter server” (although I agree that this label is unfortunate since it’s not the certificate that was generated on the VC but the signing request).

        Avatar Michal

Leave a Reply

Your email address will not be published. Required fields are marked *