On September 30, 2021, the DST Root CA X3 used to sign Let’s Encrypt’s R3 Intermediate CA Expired; therefore, some of the previous guides I’ve written and many that you will find online are no longer valid. This guide steps you through the process to install a Free Let’s Encrypt SSL Certificate for vCenter that is signed by the Let’s Encrypt root certificate ISRG Root X1.
Before we get started, you will need to generate the Let’s Encrypt SSL certificate; I won’t step you through that process in this guide, but there are plenty online to help with that. Alternatively, you may want to look at one of my other blog posts, Automate Free SSL Certificate Replacement for vCenter 7. I recently updated the script to support ISRG Root X1 as the signing root certificate.
IMPORTANT: You must chain the certificates correctly to complete a successful installation using the vCenter Certificate Manager.
Machine SSL Certificate – Your Server Certificate > Let’s Encrypt R3 > ISRG Root X1
Chain of trusted root certificates – Let’s Encrypt R3 > ISRG Root X1

All you need to do is navigate to the vCenter Certificate Manger > Machine SSL Certificate > Action > Import and Replace Certificate > Replace with external CA certificate(requires private key) and and when you are at this screen shown below, paste in the Machine SSL Certificate, Chain of trusted root certificates and your Private Key then press Replace.

If successful, the vCenter server will initiate a restart to complete the certificate installation. When you log back into your vCenter, you should now see a valid certificate.


I hope you found this guide useful, as always feel free to comment below 🙂
Follow @nmangraviti
Interesting, thanks for sharing.
I wanted to let you know this method also works in 8.0.0.10200 if you use /usr/lib/vmware-vmca/bin/certificate-manager
My previous method of automating this with 7 sadly no longer works. I used to combine the certs as you describe and then run
ssh vc.mydomain.me service-control –stop –all
ssh vc.mydomain.me service-control –start vmafdd
ssh vc.mydomain.me service-control –start vmdird
ssh vc.mydomain.me service-control –start vmcad
ssh vc.mydomain.me /usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store MACHINE_SSL_CERT –alias __MACHINE_CERT -y
ssh vc.mydomain.me /usr/lib/vmware-vmafd/bin/vecs-cli entry create –store MACHINE_SSL_CERT –alias __MACHINE_CERT –cert /root/cert.pem –key /root/privkey.pem
ssh vc.mydomain.me service-control –start –all
This results in vmware-content-library failing to start and a 500 error on the URL. I suspect it has something to do with the following being added to the instructions
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-DC693417-78CF-477F-9A4F-AFC9AA1D74E7.html
/usr/lib/vmware-lookupsvc/tools/ls_update_certs.py –url https:///lookupservice/sdk –certfile –user ‘administrator@vsphere.local’ –password ” –fingerprint
but I am probably going to need to dig through the logs for certificate-manager to be sure
Thanks for the info 🙂