Replacing self-signed External PSC certificates with a Microsoft CA signed certificate

The goal of this procedure is to replace self-signed External PSC certificates with a Microsoft CA signed certificate.

Helpful blog posts and articles:


2 External PSC servers (v6.5) behind a load balancer

PSC1 – psc1.myitblog.local
PSC2 – psc2.myitblog.local
VIP – vpsc.myitblog.local

First step is to create a MS Certificate Authority vSphere 6.x Template for SSL certificate creation:

  1. Logon to the CA server and start certtmpl.msc
  2. In Template display, right-click Web Server and Duplicate Template
  3. Select Windows 2008 R2 for backward compatibility
  4. General Tab > display name field, enter vSphere 6.x
  5. Extensions tab > Application Polices and click Edit, select Server Authentication and click Remove
  6. Extension tab > Select Key Usage and click Edit, select the Signature is proof of origin (nonrepudiation) option, leave the rest as default.
  7. Click Subject Name tab > ensure Supply in the request option is selected
  8. Save Template

Generate CSR and Private key:

      1. Logon to psc1.myitblog.local using SSH
      2. Run the command shell followed by chsh -s “/bin/bash” root
      3. Then start WinSCP and open a SCP session to psc1.myitblog.local
      4. In root directory create a folder called “certs”
      5. Open a notepad and paste the following code:
        [ req ]
        distinguished_name = req_distinguished_name
        encrypt_key = no
        prompt = no
        string_mask = nombstr
        req_extensions = v3_req
        [ v3_req ]
        basicConstraints = CA:false
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment
        subjectAltName = DNS:vpsc.myitblog.local, DNS:psc1.myitblog.local, DNS:psc1.myitblog.local
        [ req_distinguished_name ]
        countryName = UK
        stateOrProvinceName = State
        localityName = London
        0.organizationName =
        organizationalUnitName = IT
        commonName = vpsc.myitblog.local
      6. Alter subjetAltName and commonName to suit your environment
      7. Save file as psc_ha_csr_cfg.cfg
      8. Upload it to the cert directory created earlier
      9. Run the following command to generate CSR and Private key:
        openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg
      10. Copy CSR to desktop

Generate certificate:

  1. Navigate to your Microsoft CA certificate authority Web interface then click Request a certificate
  2. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
  3. Paste CSR and select vSphere 6.x as the Certificate Template
  4. Submit and download Base 64 encoded certificate, rename as psc-ha-vip.cer
  5. Export relevant Intermediate and Root certificates from the CA server in Base 64 format as well
  6. Rename Intermediate certificate as CustomInterCA1.cer and the Root CA certificate as CustomRootCA.cer

Replace self-signed certs with CA signed certs:

      1. Upload all three certificates to the certs folder on psc1.myitblog.local
      2. Run the following commands to create chain certificates:
        cat /certs/psc-ha-vip.cer >> /certs/psc-ha-vip-chain.crt
        cat /certs/CustomInterCA1.cer >> /certs/psc-ha-vip-chain.crt
        cat /certs/CustomRootCA.cer >> /certs/psc-ha-vip-chain.crt
        cat /certs/CustomInterCA1.cer >> /certs/cachain.crt
        cat /certs/CustomRootCA.cer >>; /certs/cachain.crt
      3. If there is more than one intermediate certificate modify the commands above as:
        cat /certs/psc-ha-vip.cer >> /certs/psc-ha-vip-chain.crt
        cat /certs/CustomInterCA1.cer >> /certs/psc-ha-vip-chain.crt
        cat /certs/CustomInterCA2.cer >> /certs/psc-ha-vip-chain.crt
        cat /certs/CustomRootCA.cer >> /certs/psc-ha-vip-chain.crt
        cat /certs/CustomInterCA1.cer >> /certs/cachain.crt
        cat /certs/CustomInterCA2.cer >> /certs/cachain.crt
        cat /certs/CustomRootCA.cer >> /certs/cachain.crt
      4. Run the command
      5. Select option 1, use the default administrator@vsphere.local credentials
      6. Then select option 2 and provide the paths for the Machine SSL certificate and key as well as the CA chain certificate
      7. Hit enter to start the certificate replacement process
      8. Logon to psc2.myitblog.local using SSH
      9. Run the command shell followed by chsh -s “/bin/bash” root
      10. Then start WinSCP and open a SCP session to psc2.myitblog.local
      11. In root directory create a folder called “certs”
      12. Copy psc-ha-vip-chain.crt, psc-ha-vip.key, cachain.crt located in psc1.myitblog.local certs folder to psc2.myitblog.local certs folder
      13. Repeat steps 3-6

Fix VAMI certificate issue:

Due to a bug in the appliance, VAMI does not display the new certificate after changing vCenter Server Appliance 6.x certificates.

Hence the following links produce a certificate error:


To fix the issue:

  1. Logon to psc1.myitblog.local using SSH
  2. Run the command shell
  3. Then run the following command to copy CA cert to the appliance folder:
    cp /certs/psc-ha-vip-chain.crt /etc/applmgmt/appliance/ca.crt
  4. Open /opt/vmware/etc/lighttpd/lighttpd.conf with vi and add the line the following line:"/etc/applmgmt/appliance/ca.crt"
  5. Then run following command to restart VAMI:
    /etc/init.d/vami-lighttp restart

This completes the CA certificate installation process, the next step would be to configure the load balancer.

One thought on “Replacing self-signed External PSC certificates with a Microsoft CA signed certificate

  1. Pingback: Replace ESX host certificates with CA signed wildcard certificate using PowerShell! - myitblog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.