Install a Certificate in vCenter 7 using Microsoft CA

In this guide, I will walk you through installing a self-signed SSL certificate, by generating a Certificate Signing Request for vCenter and issuing the certificate from Microsoft Certificate Authority.

Pre-Requisites:

vCenter 7 and above

Microsoft Certificate Authority (installed & configured)

Root certificate from the Microsoft CA installed on your workstation

Step One: Generate a CSR from the vCenter

Go to the vSphere Client > Administration > Certificate Management > Generate Certificate Signing Request (CSR)

vCenter Certificate Management

Common Name & Host should be prefilled when entering the CSR info. However, you should fill the Organization name, Organizational Unit (Department Name), Country, State, Locality (City), and Email Address as shown below:

Generate CSR

Download the generated CSR file.

Generate CSR

Note: A Private key is automatically generated when generating the CSR, it will be embedded within vCenter.

Step Two: Submit the CSR in Microsoft Certificate Authority and issue the certificate

Submit a new request (CSR) into Microsoft Certificate Authority

Microsoft Certificate Authority

Next, find the submitted CSR under Pending Requests as shown Below:

Pending Requests

Sign the certificate by issuing the recently submitted request.

Issue Certificate

You may find the signed certificate under the Issued Certificates folder.

Open the Certificate

Open the issued certificate.

Certificate

Export the certificate by clicking Copy to File

Certificate

When exporting the certificate, choose the file format “Base-64 encoded X.509”.

Certificate Export Wizard

Confirm the name and destination of the file.

Certificate Export Wizard

Step Three: Installing the certificate in vCenter

Back to the vSphere Client, go to Administration > Certificates > Certificate Management.

Go to the Machine SSL Certificate and click on ACTIONS then choose Import and Replace Certificate.

vCenter Certificate Management

Since we generated the CSR from vCenter and the certificate is created by an external CA (Microsoft CA). The appropriate option would be the second one. Note: The private key is embedded

Replace Certificate

Copy the content of the SSL Certificate we created from the Microsoft CA to the text box next to Machine SSL Certificate.

Copy the content of the root certificate that was used to issue the vCenter certificate into the text box next to Chain of trusted root certificates, then click on Replace.

Replace with signed certificate

After installing the SSL Certificate, you should be logged out of the vSphere Client and the certificate should be installed on the Server.

You can confirm by clicking on the lock next to the refresh button.

Installed Certificate

You can also view the details of the issued certificate from the Certificate Management

Machine SSL Certificate