Open and log in to vSphere


Open another tab for the INTCA


Take a snapshot of VCSA first. Forgot where it is, gotta ask bowes. 


Click the hamburger icon in the top left > Administration > Certificate Management


Select the VCSA certificate and click GENERATE CERTIFICATE SIGNING REQUEST (CSR)


You should see see the generated certificate request.


Copy the entire request including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST


Go the the INTCA tab


Select Request a certificate > advanced certificate request > Paste the copied request into the top field > change Certificate Template to VMware Certificate > Submite


Download both the certificate chain


Install OpenSSL if you do not have it already <Create article to install openssl and set up environment variables>

Open Powershell as an admin


Paste this into the terminal Replace $env:USERNAME with your ID number:


openssl pkcs7 -print_certs -in "C:\Users\$env:USERNAME\Downloads\certnew.p7b" -out "C:\Tools\certs_raw.pem"

Get-Content "C:\Tools\certs_raw.pem" |
    Where-Object { $_ -match '-----BEGIN CERTIFICATE-----|-----END CERTIFICATE-----|^[A-Za-z0-9+/=]+$' } |
    Set-Content "C:\Tools\clean_chain.pem"

Remove-Item -Path "C:\Tools\certs_raw.pem"

notepad "C:\Tools\clean_chain.pem"


Go back to vSphere


Select Import and Replace Certificate


Select the second option:


Machine SSL is the first entry in the notepad that opened. Copy everything between and including ----BEGIN CERTIFICATE---- and ----END CERTIFICATE----


Chain of trusted root certificates is the rest of the text in the notepad. Do not include the Machine SSL


May need more info/screenshots. dont want to renew again right now. 







In case of emergency

--------------------------------------------------------------------------------------------------------------------------------------


Log in to vCenter Management Server at vcsa.services.lcso.org:5480 (Password in Keeper)

Navigate to "Access"

Click "Edit" in the upper right

Activate "Bash Shell" with a duration of 20 minutes


Open Putty

Log in to vcsa.services.lcso.org as root (Password in Keeper)

Navigate to /tmp/vcert-6.0.1-20250516/

Launch vCert.py


Follow the menu

For example, to delete expired certificates in the backup directory, press 3, then 11.