Replace machine certificate in vSphere 7

Replace machine certificate in vSphere 7

Compared to posts that describe the same task in older versions, this will be a rather short one. Specially replacing vCenter certificates was getting more and more easier during versions. It has never been that easy!

In vCenter 7 we just have one certificate to manage. Solution Certificates are gone, respectively are deprecated in 7.0 . You can also see in CLI certificate-manager. See welcome screen in 6.7 and 7.0:


In vSphere 7.0 there is also a new GUI to replace this certificate. This post will explain the steps to replace vCenter certificate by a certificate signed by a Windows CA.

Steps for replacement

  1. Create an CSR (Certificate Signing Request) for the new certificate.To do so, go to Menu –> Certificate Management and in press on ACTIONS in __MACHINE_CERT box:Replace_Cert_05Select Generate Certificate Signing Request (CSR). Fill in requested data. Make sure to enter FQDN and short hostname (comma separated) of vCenter in Subject Alternative Name. This is because current browsers check this values to compare with actually hostname.Replace_Cert_06When pressing next, you have the option to copy request to clipboard and to download it.Replace_Cert_07

    Download the file for usage in next step. Here: C:\Cert\vcsa.csr
  2. Create new certificate in Windows CA
    Up to now I used the Windows CA Web Enrollment Site (https://CA_hostname/certsrv/) for this task. But I was told this isn’t maintained by Microsoft any more. So I switched to a supported method: command line. Normally this can be done by using MMC, but doing so, you cannot define the certificate template to use (see Notes). Therefore I use the command: certreq. Full command to use Web Server template:

    certreq.exe -submit -attrib "CertificateTemplate:WebServer" "C:\Cert\vcsa.csr"

    This command will open a Save Certificate window. I use: C:\Cert\vcsa-cert.cer

  3. Export CA root certificate
    Last piece we need is the CA root certificate (including existing chain). To get this (I also used Web Enrollment Site for this) we can use command line again. To export CA root certificate, run this command on CA computer:

    certutil -ca.cert c:\Cert\root-cert.cer

    Unfortunately we use another format (BASE64 – which is human readable). Therefore run this command to convert format:

    certutil -encode c:\Cert\root-cert.cer c:\Cert\root-cert-base64.cer

  4. Replace certificate
    Last step is to use the new wizard for certificate replacement. Now click on ACTIONS in __MACHINE_CERT box and select Import and Replace Certificate.
    Select Replace with certificate generated from vCenter server. This sounds misleading, but is meant for the case, vCenter created the CSR that is used to create the certificate. And this is exactly what we did. With this option we do not need a private key because this is created during CSR creation.

    On next page, select appropriate files:
    replace machine certificate vSphere 7
    Machine SSL Certificate –> vcsa-cert.cer
    Chain of trusted root certificates –>root-cert-base64.cer

    When everything works fine, all vCenter services will be restarted and you see this:
    After a few minutes you should be able to login to vCenter again.


  • After this procedure, you also see a new Trusted Root Certificate, which is CA root certificate.
  • If you try to replace certificate this way without creation of a CSR, you will see this error:
    [Error occurred while fetching tls: Certificate not found for given ID (Certificate is not valid)]
  • To keep this workflow simple, you have to use the CSR to create the certificate. And you have to use this certificate for replacement. You must not create another CSR between certificate-creation and replacement. If you do so, you will see this error:
    [Error occurred while fetching tls: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)]

    This is because by creating a CSR, a private key will also be created. When you do another CSR creation after certificate-creation, private key does not fit anymore.

  • If you try to issue certificate in Microsoft Certificate Authority GUI (MMC) you will get the following error – because of missing template information (See Step 2).
    [The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.]
  • Even when replacement works fine it could be that your browser shows certificate issues. This is a browser topic. For example Chrome do not like SHA1.
    Same certificate is OK for Internet Explorer
  • [Update] When you search for the private key in VCSA during this process, read here to learn more. Post is for 6.7.

13 responses to “Replace machine certificate in vSphere 7”

  1. roydfreeman says:

    Your blog mentions that Solution User certificates have gone in 7.0 but they’re still in the 7.0 documentation (

    Please could you clarify?

  2. Tony Hall says:


    How do you fix this error you have described above?

    Error occurred while fetching tls: Exception found (The provided MACHINE_SSL certificate and provided private key are not valid.)]


    • vNote42 says:

      Hi Tony!
      You should do these steps:
      1. create a CSR,
      2. create a Certificate using this CSR.
      When you did not create a CSR or you re-created a CSR and try to install the certificate that is based on the first CSR, you will get this error.
      When you create a CSR a private key is created as well. The certificate you try to install must match this key!
      I hope this helps.

      • Tony Hall says:

        Thanks for the very prompt reply.

        I have been confused by certificate use for sometime because there seems to be contradictory advice. For example in VMware KB 2112014 it says

        “When using an external CA, the MACHINE_SSL_CERT needs to contain all certificate starting from root, like:
        machine_ssl.cer: This is a complete chain of leaf + intermediateCAs(if applicable) + rootCA
        Root64.cer: This is a chain of intermediateCAs(if applicable) + RootCA”



        • vNote42 says:

          Hi Tony!

          This is true, the certificate you want to install must include the whole chain as well. In GUI you can put in machine- and root (incl chain) separately (Step: 4. Replace certificate). When you install certificate using CLI, just one file can be installed. In this case, certificate and chain needs to be copied into one file.


  3. Simon Shaw says:

    This is straightforward but still not easy.
    We should be able to easily import wildcard certs, tie directly to Windows CA server etc. Lot of room for improvement I think.

  4. Maik says:


    I followed this blog and commands and end up with this error:

    Error occurred while fetching tls: the trustAnchors parameter must be non-empty

    Do someone know a solution for this?

    Many thanks
    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *