Sign Up for the Quarterly Newsletter

VMCA Certificate Generator

The VMware Certificate Authority (VMCA) Certificate Generator gives you the ability to simply retrieve certificates signed by the VMware Certificate Authority (VMCA) running on vCenter / PSC.

This can be useful when you don't have access to a company wide Certificate Authority (e.g. small-business or running in a lab), but you want to have valid certificates for your services.
The certificates can be used for other VMware products like vRealize Suite, NSX as well as 3rd party services.
Once you trust the VMCA root certificate (to be retrieved by the vCenter URL or over this tool), you trust all services with the new certificates.

The validity of the certificates is not changeable and depends on the vCenter version. With vCenter 7.0 you'll get certificates valid for 2 years.

The VMCA Certificate Generator comes as a .jar file and needs to be run with java - either right-click and "open with jar Launcher" or run with "java -jar vmca-cert-generator.jar".

To connect to vCenter or PSC,

Fill in FQDN or IP of vCenter/PSC together with a shell user (e.g. root) in the form.

Add the certificate details and click "START".

The log will appear in the upper right corner, followed by a Download button.

The Download will provide you with a .zip file containing:

  • certool.cfg -> just for reference the certificate settings
  • root.cer -> the VMCA root certificate
  • private.key and public.key
  • .cer -> X509 certificate
  • .pfx -> encrypted certificate in PKCS#12 format - encrypted with specified password
  • chain-with-privkey.pem -> certificate chain including private key
  • chain-without-privkey.pem -> certificate chain without private key

Different tools / services require different formats of certificates to upload. Usually you'll need only one of the created certificate files. Please report missing formats that should be included.

  1. If not already done, change the vCenter default Shell to BASH : https://kb.vmware.com/s/article/2100508

  2. Download VMCA Certificate Generator ZIP and extract "vmca-cert-generator.jar" on your client

  3. Run the tool with either "java -jar vmca-cert-generator.jar" or right click and "open with Jar Launcher"

  4. Fill out all fields and press "START"

  5. Press "DOWNLOAD" and save the certificate bundle as .zip file

  6. Extract the downloaded ZIP file

  7. Provide the certificate in the appropriate format to your product(s). The required certificate format differs from product to product.

Version 1.0 Update

  • Added the open source license file.