Export Machine SSL Embedded Private Key From vCenter

This quick post demonstrates how to export the Machine SSL embedded Private key from your vCenter Server Appliance (VCSA).

If you replaced the default Machine SSL certificate on your vCenter where the CSR was generated from the vCenter Server, the private key would be embedded in the vCenter Appliance certificate store. If you need to export that Private Key for any reason, you can do so with the following steps.

Log into the vCenter Appliance via SSH and run the following command

Get Machine SSL Private Key

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT

Here are some other useful commands to retrieve the SSL Certificate, CA and Trusted Root certificates.

Get Machine SSL and CA Certificates

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT

Get Trusted Root Certificates

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS

For more vecs-cli usage help run the following command or check the vecs-cli Command Reference online

/usr/lib/vmware-vmafd/bin/vecs-cli help

I hope you found this helpful. Feel free to comment if you have any questions.

Leave a Reply