VMware vSphere

Andrea Consalvi posted Feb 10, 2025 02:33 AM

Hey Ranga,

Yes, it is possible to specify a custom Machine SSL Certificate during the deployment of vCenter, but VMware doesn't provide a built-in way to inject it directly in the deployment wizard. The usual approach is to deploy vCenter first, let it generate its default self-signed certificate, and then replace it afterward—which, as you mentioned, can introduce temporary SSL verification issues unless you trust the VMCA.

If you're looking to avoid that insecure phase entirely, one way is to preload your custom certificate into the vCenter appliance before first boot. You can do this by mounting the installation ISO, modifying the configuration files inside, and injecting your custom root CA and machine certificate into the appliance before it even starts the deployment process. This is not an officially supported method, but it has worked in lab environments.

Alternatively, if automation is key for you, another option is to script the deployment using PowerCLI or vCSA CLI, followed by an immediate certificate replacement via the vSphere Certificate Manager or API calls. This ensures that as soon as vCenter comes online, it already has the correct SSL certificate applied, minimizing the exposure to self-signed certificate warnings.

It would be great to know what deployment method you're using

-ranga- posted Feb 20, 2025 12:02 AM

(I seem to have only the option to post an 'answer', not reply to the conversation?)
Thanks for your reply, apologies for the delay in responding.

We do use the vcsa_deploy command to deploy the vCenter. The certificate is replaced immediately using the REST API by a Python script, which ignores SSL verification errors.

Are there any details you can share about this approach, viz. which configuration files to modify and how, where and how to inject certificates?