HOW TO: Replace the vCenter Server SSL Certificate with a SSL Certificate from a Microsoft Certificate Authority

1. Prepare for SSL Certificate Replacement

Log in to the vSphere Client as a user with administrative privileges.
Back up the vCenter Server appliance:
Use the Backup option in the vSphere Client or take a snapshot of the appliance to ensure recovery if needed.
Confirm the Microsoft Certificate Authority (CA) is reachable from the vCenter Server.

2. Generate a Certificate Signing Request (CSR)

Open the vSphere Client and navigate to Administration > Certificates > Certificate Management.
In the Machine Certificates tab, click Actions > Generate Certificate Signing Request.
Fill in the CSR details, including:
Common Name (CN): Fully Qualified Domain Name (FQDN) of the vCenter Server.
Organization (O) and Organizational Unit (OU): Your company and department.
Country (C): Your country code (e.g., US).
Click Generate and download the CSR file to your local machine.

3. Submit the CSR to the Microsoft Certificate Authority

Open the Microsoft CA web enrollment page, typically at http://<CA_Server_Name>/certsrv.
Select Request a certificate > Advanced certificate request.
Copy and paste the contents of the CSR file into the text box.
Select an appropriate certificate template (e.g., Web Server) and submit the request.
Download the issued certificate as Base64-encoded and save it as vcenter_cert.cer.
Download the CA certificate chain as Base64-encoded and save it as ca_chain.cer.

4. Upload the SSL Certificate to vCenter

Return to the vSphere Client and navigate to Administration > Certificates > Certificate Management.
In the Machine Certificates tab, click Actions > Import and Replace Certificate.
Provide the following:
The issued SSL certificate file (e.g., vcenter_cert.cer).
The CA certificate chain file (e.g., ca_chain.cer).
Confirm the replacement operation and click Replace.
The system will restart vCenter services to apply the new certificate.

5. Verify the New Certificate

Open a browser and navigate to the vCenter Server’s web interface (e.g., https://<vcenter_fqdn>).
Check the certificate details in the browser to confirm that the new SSL certificate is active and valid.
Ensure there are no warnings about untrusted certificates.
Verify that all services (e.g., ESXi hosts, linked components) are functioning as expected.

6. Document and Monitor

Record details of the new certificate, including its expiration date.
Set a reminder to renew the certificate before it expires to avoid service interruptions.