How to Replace vCenter 7 Self-Signed Certificate
Tutorial on how to replace vCenter 7 Self-Signed Certificate
Generate CSR from vCenter 7 in GUI
Login to vSphere vCenter 7 and go to Menu > Administration > Certificates > Certificate Management. Select Actions > Generate Certificate Signing Request (CSR) in Machine SSL Certificate
Common Name & Host is auto filled based on hostname assigned to vCenter.
Click Copy to save the content of CSR file
Generate SSL Certificate from Microsoft CA
Install Microsoft Certificate Authority (CA) by following this link if you do not have CA installed
Login to http://CA/certsrv and click Request a Certificate
Click Advanced Certificate Request
Select Web Server in Certificate Template and paste the content of CSR generated in vCenter
Select Base 64 encoded and click Download Certificate.
Save it to C:\temp\vcsa.cer
Export CA Root Certificate and import it to vCenter
Export the CA Root Cert from AD Domain Controller in .cer format
#Export CA Root Cert
$CA_Root = Get-ChildItem -path cert:\LocalMachine\Root| ? Subject -like "*CN=Aventis.Dev*"
Export-Certificate -Cert $CA_Root -FilePath C:\Temp\CA-Root.cer
Convert the .cer in DER format to Base64 format and save it as C:\temp\CA-Root-Base64.cer
certutil -encode CA-Root.cer CA-Root-Base64.cer
Add the CA Root Certificate in Base64 format in Administration > Certificate > Certificate Management
Replace vCenter 7 Self-Signed Certificate
Click Actions > Import and Replace Certificate in Machine SSL Certificate
Select Replace with certificate generated from vCenter Server
Import the C:\temp\vcsa.cer in Machine SSL Certificate and C:\temp\CA-Root-Base64.cer to Chain of Trusted Root Certificate. Click Replace to continue
vCenter Appliance is rebooting automatically to load the new certificate
Verify SSL Certificate is imported successfully
The Self Signed SSL Certificate is replaced with imported SSL Certificate with CA Root Chained successfully
