This quick post demonstrates how to export the Machine SSL embedded Private key from your vCenter Server Appliance (VCSA).
If you replaced the default Machine SSL certificate on your vCenter where the CSR was generated from the vCenter Server, the private key would be embedded in the vCenter Appliance certificate store. If you need to export that Private Key for any reason, you can do so with the following steps.
Log into the vCenter Appliance via SSH and run the following command
Get Machine SSL Private Key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT
Here are some other useful commands to retrieve the SSL Certificate, CA and Trusted Root certificates.
Get Machine SSL and CA Certificates
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT
Get Trusted Root Certificates
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS
For more vecs-cli usage help run the following command or check the vecs-cli Command Reference online
I hope you found this helpful. Feel free to comment if you have any questions.Follow @nmangraviti