Replace Default vCenter Certificate with a Free Let’s Encrypt SSL

On September 30, 2021, the DST Root CA X3 used to sign Let’s Encrypt’s R3 Intermediate CA Expired; therefore, some of the previous guides I’ve written and many that you will find online are no longer valid. This guide steps you through the process to install a Free Let’s Encrypt SSL Certificate for vCenter that is signed by the Let’s Encrypt root certificate ISRG Root X1.

Before we get started, you will need to generate the Let’s Encrypt SSL certificate; I won’t step you through that process in this guide, but there are plenty online to help with that. Alternatively, you may want to look at one of my other blog posts, Automate Free SSL Certificate Replacement for vCenter 7. I recently updated the script to support ISRG Root X1 as the signing root certificate.

IMPORTANT: You must chain the certificates correctly to complete a successful installation using the vCenter Certificate Manager.

Machine SSL CertificateYour Server Certificate > Let’s Encrypt R3 > ISRG Root X1

Chain of trusted root certificatesLet’s Encrypt R3 > ISRG Root X1


All you need to do is navigate to the vCenter Certificate Manger > Machine SSL Certificate > Action > Import and Replace Certificate > Replace with external CA certificate(requires private key) and and when you are at this screen shown below, paste in the Machine SSL Certificate, Chain of trusted root certificates and your Private Key then press Replace.

If successful, the vCenter server will initiate a restart to complete the certificate installation. When you log back into your vCenter, you should now see a valid certificate.

I hope you found this guide useful, as always feel free to comment below 🙂

4 comments Add yours
  1. I wanted to let you know this method also works in 8.0.0.10200 if you use /usr/lib/vmware-vmca/bin/certificate-manager

    My previous method of automating this with 7 sadly no longer works. I used to combine the certs as you describe and then run

    ssh vc.mydomain.me service-control –stop –all
    ssh vc.mydomain.me service-control –start vmafdd
    ssh vc.mydomain.me service-control –start vmdird
    ssh vc.mydomain.me service-control –start vmcad
    ssh vc.mydomain.me /usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store MACHINE_SSL_CERT –alias __MACHINE_CERT -y
    ssh vc.mydomain.me /usr/lib/vmware-vmafd/bin/vecs-cli entry create –store MACHINE_SSL_CERT –alias __MACHINE_CERT –cert /root/cert.pem –key /root/privkey.pem
    ssh vc.mydomain.me service-control –start –all

    This results in vmware-content-library failing to start and a 500 error on the URL. I suspect it has something to do with the following being added to the instructions

    https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-DC693417-78CF-477F-9A4F-AFC9AA1D74E7.html

    /usr/lib/vmware-lookupsvc/tools/ls_update_certs.py –url https:///lookupservice/sdk –certfile –user ‘administrator@vsphere.local’ –password ” –fingerprint

    but I am probably going to need to dig through the logs for certificate-manager to be sure

Leave a Reply