Today a very quick post for anybody that is using the vSphere Client to generate a new .CSR to create a new certificate for the vCenter Server. I usually use the certificate-manager tool on the commandline, but I figured, let’s diversify my daily actions and let us use the vSphere Client. This has been around for a while now. The below blog post was made while using the 6.7 U3 vSphere Client.

You can easily do this by logging into the vSphere Client -> Administration -> Certificates -> Certificate Management. Press on Actions -> Generate CSR on the __MACHINE_CERT, like below (procedure can also be found here):

vSphere Client certificate management
vSphere Client certificate management

Next you can enter the certificate fields like you usually do on the command line:

vSphere Client Certificate Manager Generate CSR
vSphere Client Certificate Manager Generate CSR

And once this is done you get a window that displays the .CSR you just created. You can copy this .CSR and use your favorite CA to create the new certificate for the vCenter Server. Once you received the certificate file with the Chain, go back to the previous window in the vSphere Client, and instead of pressing Actions -> Generate CSR, press Replace. In this window upload the certificate file, and the Private Key file.

Replace Certificate in vSphere Client
Replace Certificate in vSphere Client

Wait what? I never received the private key file. The procedure also does not mention anything about the private key file. Ok so where is this private key file located? I did a quick recursive search on the command line with locate*.key but didn’t really find anything that looked like it was my private key:

root@vcsa02 [ ~ ]# locate *.key
/etc/vmware-rbd/ssl/rbd-ca.key
/etc/vmware-rbd/ssl/waiter.key
/etc/vmware-rhttpproxy/ssl/rui.key
/etc/vmware-vpx/ssl/data-encipherment.key
/etc/vmware-vpx/ssl/rui.key
/etc/vmware-vpx/ssl/vcsoluser.key
/etc/vmware/vmware-vmafd/machine-ssl.key
/opt/vmware/var/lib/vami/update/data/signature.key
/storage/db/vpostgres_ssl/server.key
/usr/lib/vmware-updatemgr/bin/ssl/jetty.key
/usr/lib/vmware-updatemgr/bin/ssl/rui.key
/var/lib/vmware/vmcam/ssl/rui.key

After carefully looking around and checking the below log file, I noticed the second to last line in the /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log log file.

2020-12-11T12:06:08.274Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.vapi.impl.setup.AuthzPermissionValidator  opId=] User VSPHERE.LOCAL\Administrator has required privileges [CertificateManagement.Manage] to invoke API com.vmware.vcenter.certificate_management.vcenter.tls_csr.create
2020-12-11T12:06:08.376Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Generating a new certifcate signing request for user provided input specifications
2020-12-11T12:06:08.377Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Input Spec -
2020-12-11T12:06:08.377Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] key size: 4096
2020-12-11T12:06:08.377Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Common Name: vc02.bvecloud.nl
2020-12-11T12:06:08.377Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Organization: BveCloud
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Organization Unit Name: Operations
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Email: bvecloud@bvecloud.nl
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Locality: Amsterdam
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] State: Noord-Holland
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Country: NL
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Hostnames: 10.0.0.1,vc02.bvecloud.nl
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] IP Address: 10.0.0.1
2020-12-11T12:06:08.378Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] User provided key size: 4096
2020-12-11T12:06:08.822Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Successfully generated private key
2020-12-11T12:06:08.836Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Successfully generated certificate signing request
2020-12-11T12:06:08.986Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Added new entry __MACHINE_CSR to VECS store MACHINE_SSL_CERT
2020-12-11T12:06:08.987Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] Successfully stored the private key to VECS store MACHINE_SSL_CERT, alias __MACHINE_CSR
2020-12-11T12:06:08.987Z [tomcat-exec-9  INFO  com.vmware.certificatemanagement.impl.SSLCertificate  opId=] CSR generation API executed successfully

It looks like the .CSR got created successfully and the private key is stored inside the VECS certificate store under the __MACHINE_CSR alias. Aah ok this makes sense. I just wish that VMware said this on their documentation, or just provided the user with a notification in the vSphere Client when a .CSR is generated. You can dig up the private key with the following command:

root@vc02 [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR 

Copy this private key to a notepad file and save it as private.key. Now this file can be used while importing the validated certificate file into the vSphere Client.

vSphere Client Certificate Manager certificate replacement
vSphere Client Certificate Manager certificate replacement
vSphere Client Certificate Manager certificate replacement success

Now all we need to do is restart the following services on the command line, please be aware that this will introduce some downtime on the vCenter Server:

service-control --stop --all
service-control --start --all

Once this is done the certificate will be replaced. Fortunately this has been updated in vSphere 7.0. It will now automatically use the private key that is stored in the VECS store.

This was all for today. It took me a bit of time to find this out, so I hope I can prevent you from looking around to long!


Bryan van Eeden

Bryan is an ambitious and seasoned IT professional with almost a decade of experience in designing, building and operating complex (virtual) IT environments. In his current role he tackles customers, complex issues and design questions on a daily basis. Bryan holds several certifications such as VCIX-DCV, VCAP-DCA, VCAP-DCD, V(T)SP and vSAN and vCloud Specialist badges.

7 Comments

Michal · December 14, 2020 at 11:31 pm

If you sign a certificate using CSR generated in vCenter then you don’t need the private key. When importing the signed certificate choose “Replace with external CA certificate where CSR is generated from vCenter Server (private key embedded)” and then you’ll only be required to provide the signed certificate without the private key.
See this screenshot: https://pasteboard.co/JEWKzfd.png

    Bryan van Eeden · December 15, 2020 at 8:57 am

    Hi Michal,

    You are absolutely correct, but this is only in vCenter Server 7 as far as I know, see below:
    vCenter Server Certificate Management from the vSphere Client

      Michal · December 15, 2020 at 4:51 pm

      Try the second option, “Replace with certificate generated from vCenter server” (although I agree that this label is unfortunate since it’s not the certificate that was generated on the VC but the signing request).

        Bryan van Eeden · December 15, 2020 at 4:56 pm

        Hi Michal,

        The second option will work, like I said in my previous reply! But this screen is not available if you use a pre vSphere 7.0 version. You will only get the screen I showed in this blogpost.

        Kind regards,
        Bryan van Eeden

Mathew · April 22, 2021 at 9:49 am

Thank you so much Bryan for this artikel. You saved me hours of work.
Smart comment from my site. In my Version 6.7u3j the command for gettign the private-key was:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey –store MACHINE_SSL_CERT –alias __MACHINE_CSR

James · May 1, 2023 at 2:09 pm

1st thanks so much for this documentation, it helped me. One thing of note is

root@vc02 [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey –store MACHINE_SSL_CERT –alias __MACHINE_

should be /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey –store MACHINE_SSL_CERT –alias __MACHINE_CSR (The CSR was left off in your code)

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *