What all the VMware components needs a New VMware Certificate?

Here in this post I am writing about the VMware components that require the certificates, and how to create the CSR using the open SSl. Each of the following components needs the unique Signed/self-signed certificates, hence we Install and configure the certificate for the following VMware vSphere components:

    • ESXi host
    • vCenter components
    • vCenter Server
    • SSO
    • Inventory Service
    • Web Client Service
    • Log Browser
    • VMware vCenter Update Manager
    The process for replacing the default certificate with a new certificate on ESXi host or any vCenter component is as follows:
    • Create a certificate-signing request (CSR).
    • Generate a certificate from the CSR.
    Create Certificate-Signing Requests (CSR) for vCenter Server using openssl
    One way to create a Certificate-Signing Requests (CSR) is with the help of OpenSSL utility.

    There are so many free opensource applications out there online for createing the openSSL certificates. Download this openSSL utility from varioiius sources like from

    • Install all the pre-requisites for the openSSL and then install the openSSL application.
    • Now use the openssl. cnf file as the template for creating Certificate-Signing Requests (CSR). What this means is that use the openssl.cnf file to create a multiple CSR’s for each of the above mentioned components (for ESXi, vCenter, Web Client, etc.)
    • This “openssl. cnf“file can be found at C: \<OpenSSL_Install_Dir\bin Folder

    Edit your OpenSSL configuration file (openssl.cnf) to the best of your environment. and here is how you gonna do it.
    • Generate the RSA key for the vCenter Server system and the CSR.
    For example:  

    openssl req -new -nodes -out mycsr.csr -config openssl.cnf
    • When prompted, type the fully qualified host name as the system’s common Name.
    • Send the certificate request to the commercial certificate authority of your choice and wait for the return of the signed certificate. Or, sign the request using your local root certificate authority:
    openssl ca -out rui.crt -config openssl.cnf -infiles mycsr.csr
    • At the prompt, type the password needed to access the root key.
    • You have a new generated and signed rui.crt for the specified system, and the private key for the system (rui.key). 
    This post is my third post on the VMware Certificates, where you can find the other two posts at the following links:

      Leave a Reply