Replace VMCA Root certificate with a CA signed certificate

There’s no doubt VMware have poured in significant effort into simplifying the certificates side of things. In comes a batch file located in \Program Files\VMware\vCenter Server\vmcad called certificate-manager.bat. I wont go into details of the contents of the files and what options you need to choose, all that is contained in various VMware kb articles here. Instead, I’ll walk you through my experience of this process of doing. I must say Derek Seaman has done a damn fine job by providing a toolkit that does all this automatically, you can see this here. But if you are feeling brave (in a lab environment that is ), you could do it like this:

1. RDP/console to your PSC VM and go to the path indicated above in  this machine (or, as in my case, the vCenter Server VM which is also the PSC VM – this being an embedded deployment) and crack open the batch file.

2. Choose option 2 to generate the private key (or the .key file) and the certificate signing request (or the .csr file). You need the .key file to ensure the integrity of the certificate and the .csr file to get your Certificate Authority to grant you a certificate. Save the files to a location, dont get rid of the .key file as you’ll need it later See below for a quick screenshot:

VMCA generate CSR

3. Next, open up your browser and go to https://<yourCAFQDN>/certsrv. Note – your CA must have an https binding with a SSL cert configured to use with this binding for this URL to open up (I’ll do a post about this too and link it here).

4. Click on Request a Certificate > “submit an advanced certificate request” > Submit a certificate request by using…

5. Open the root_signing_cert.csr file in Notepad, copy its contents and paste them into the box that’s presented like below, ensuring Certificate Template chosen is “Subordinate Certification Authority” (this bit is important because you are making the VMCA the subordinate CA in the hierarchy.

VMCA paste CSR

6. Your CA will then issue a certificate and it becomes available for download. Click on Download certificate ensuring the certificate type is Base 64 encoded.

VMCA download cert

7. Next, you need to combine or concatenate this certificate and your Certificate Authority’s Root CA certificate into one file. Crack open notepad, browse to and open the certificate. Export your CA’s Root CA certificate to this VM and open it up in another Notepad window as well. Crack open a 3rd Notepad window, copy the contents of the certificate you downloaded first, followed by the contents of the Root CA certificate. This file would look like this:

VMCA concatenated cert file

Note: if there’s an intermediate CA in your environment, its root certificate will sit in the middle of the two.

8. Save this file with whatever name you choose. Ensure the extension is .cer.

9. Go back to your Certificate-Manager batch file window and hit 1 to continue and provide paths to the concatenate file you just created and the .key file that was created in Step 2. See below:

VMCA replace cert 1

10. Note it takes longer for services to shutdown and restart.

Finally, you’ll know the certificate has been replaced because when you now visit your Web Client, a new certificate will be available and in use:

VMCA replace cert 2

The Certificate Manager utility will also automatically replace all other vSphere certificates. VMware have a kb article for all this too, this post’s meant to contain more detail and visualization.


 Add your comment
  1. Thanks for the tips, will come in handy when I go about upgrading my environment to 6.0.

  2. gives me an error not a valid ca

  3. please disregard my first message.. instead it gives me an erre Not A Ca cert…

    • Hi Mark, open the cert and view its chain – do you see your CA in there? If you dont, you need to have the cert issued again.

Leave a Comment

Your email address will not be published.