In this guide, I will walk you through installing a self-signed SSL certificate, by generating a Certificate Signing Request for vCenter and issuing the certificate from Microsoft Certificate Authority.
vCenter 7 and above
Microsoft Certificate Authority (installed & configured)
Root certificate from the Microsoft CA installed on your workstation
Step One: Generate a CSR from the vCenter
Go to the vSphere Client > Administration > Certificate Management > Generate Certificate Signing Request (CSR)
Common Name & Host should be prefilled when entering the CSR info. However, you should fill the Organization name, Organizational Unit (Department Name), Country, State, Locality (City), and Email Address as shown below:
Download the generated CSR file.
Note: A Private key is automatically generated when generating the CSR, it will be embedded within vCenter.
Step Two: Submit the CSR in Microsoft Certificate Authority and issue the certificate
Submit a new request (CSR) into Microsoft Certificate Authority
Next, find the submitted CSR under Pending Requests as shown Below:
Sign the certificate by issuing the recently submitted request.
You may find the signed certificate under the Issued Certificates folder.
Open the issued certificate.
Export the certificate by clicking Copy to File
When exporting the certificate, choose the file format “Base-64 encoded X.509”.
Confirm the name and destination of the file.
Step Three: Installing the certificate in vCenter
Back to the vSphere Client, go to Administration > Certificates > Certificate Management.
Go to the Machine SSL Certificate and click on ACTIONS then choose Import and Replace Certificate.
Since we generated the CSR from vCenter and the certificate is created by an external CA (Microsoft CA). The appropriate option would be the second one. Note: The private key is embedded
Copy the content of the SSL Certificate we created from the Microsoft CA to the text box next to Machine SSL Certificate.
Copy the content of the root certificate that was used to issue the vCenter certificate into the text box next to Chain of trusted root certificates, then click on Replace.
After installing the SSL Certificate, you should be logged out of the vSphere Client and the certificate should be installed on the Server.
You can confirm by clicking on the lock next to the refresh button.
You can also view the details of the issued certificate from the Certificate Management