Installing Certificate Authority Server:

  • To install certificate authority in Windows Server 2019, do the following steps:


  • Before installing Active Directory Certificate Services, you must name the computer, configure the computer with a static IP address, and join the computer to the domain.
  • To perform this procedure, the computer on which you are installing AD CS must be joined to a domain where Active Directory Domain Services (AD DS) is installed.

Create the vCenter Certificate template:

  1. From Server Manager tools, run “Certificate Authority,” go to “Certificate Templates,” then choose Manage.
  2. After Certificate Templates Console is opened, duplicate the template “Web Server.”
  3. Rename the new template in the “General” tab to “vCenter Certificate Template.”
  4. Go to the “Extensions” tab, choose “Application Policies,” then add “Client Authentication.” Then go to “key usage,” check the box “Signature is proof of origin (nonrepudiation),” and check the box “Allow encryption of user data.”
  5. In “Request Handling” tab, check the box “Allow Private Key to be exported.”
  6. Close Certificate template console, then go to certificate template, then click “Certificate Template to Issue.”

Create Certificate Signed Request CSR:

  1. Connect to vCenter using PuTTy.
  2. Enter “Shell” to start bash shell. Log in to vCenter using (root/P@ssw0rd)
  3. To run the certificate manger program Enter “/usr/lib/vmware-vmca/bin/certificate-manager”, the login is administrator@vsphere.local/P@ssw0rd.
  4. Choose option 1: “Replace Machine SSL certificate with Custom Certificate.”
  5. Determine the path to store the CSR and Private Key: “/var/tmp” and then enter the certificate signed request values. 
  6. After CSR is generated, choose option 2, “Exit Certificate Manager.”

Connect WinSCP to vCenter:

  1. Enter chsh -s /bin/bash in order to WinSCP can connect to vCenter.
  2. Go to /var/tmp where “VMCA_issued_Key” and “VMCA_issued_CSR” were generated, then Download “VMCA_issued_CSR” to the desktop.
  3. In Google Chrome, open “”, Choose Request Certificate, Advanced Certificate Request, then open “VMCA_Issued_CSR” with the notepad copy text and submit the Certificate Request using the vCenter Certificate template.
  4. Download Based 64 Encoded rename the downloaded certificate to “Machine SSL Certificate.”
  5. Download Certificate chain, then export root certificate (adatum-Server-CA) rename it to “root certificate.”

Import generated Certificate:

  1. Connect SSH to using Putty, Enter Shell, then run the command “chsh -s /bin/appliancesh” to connect to the vCenter Server Appliance Shell. For this command To succeed, we need to change the path to where the certificate is stored, so enter “cd /var/tmp.”
  2. Run certificate manager, Enter “/usr/lib/vmware-vmca/bin/certificate-manager”, when prompt for username and password enter administrator@vsphere.local/P@ssw0rd.
  3. Choose option 1: Replace the Machine SSL certificate with a custom certificate.
  4. Then choose 2: Import Custom Certificate: Custom SSL certificate: “Machine SSL Certificate”. The custom key for Machine SSL: “VMCA_Issued_Key”.  Signing Certificate for Machine SSL: “Root Certificate”.
  5. Replace vCenter Certificate with custom Machine SSL Certificate? Yes.
  6. This will take some time after rebooting new certificate is installed.

Leave a Reply