Replace Default vCenter Certificate with a Free Let’s Encrypt SSL

On September 30, 2021, the DST Root CA X3 used to sign Let’s Encrypt’s R3 Intermediate CA Expired; therefore, some of the previous guides I’ve written and many that you will find online are no longer valid. This guide steps you through the process to install a Free Let’s Encrypt SSL Certificate for vCenter that is signed by the Let’s Encrypt root certificate ISRG Root X1.

Before we get started, you will need to generate the Let’s Encrypt SSL certificate; I won’t step you through that process in this guide, but there are plenty online to help with that. Alternatively, you may want to look at one of my other blog posts, Automate Free SSL Certificate Replacement for vCenter 7. I recently updated the script to support ISRG Root X1 as the signing root certificate.

IMPORTANT: You must chain the certificates correctly to complete a successful installation using the vCenter Certificate Manager.

Machine SSL CertificateYour Server Certificate > Let’s Encrypt R3 > ISRG Root X1

Chain of trusted root certificatesLet’s Encrypt R3 > ISRG Root X1


All you need to do is navigate to the vCenter Certificate Manger > Machine SSL Certificate > Action > Import and Replace Certificate > Replace with external CA certificate(requires private key) and and when you are at this screen shown below, paste in the Machine SSL Certificate, Chain of trusted root certificates and your Private Key then press Replace.

If successful, the vCenter server will initiate a restart to complete the certificate installation. When you log back into your vCenter, you should now see a valid certificate.

I hope you found this guide useful, as always feel free to comment below 🙂

2 comments Add yours

Leave a Reply