ESXi 5.5: Generate AD CA Certificates using SSL-Updater Tool

Ignore my attempts. Follow Derek’s blog here. It works. Thanks Derek.




Assuming SSL Certificate Updater Tool for your build of ESXi / vSphere has been obtained. I have extracted it to C:\Temp.

You need to have set up a certificate template in your AD CA. See steps here.


Step Process
Launch cmd as Admin and cd to root of tool.
Execute ssl-updater.bat.
Press 2 to generate a Certificate Singing Request (CSR).
Press the number corresponding to the service you want to generate a certificate for.
Complete the prompts. I left the pre-filled prompts as given.
This will create CSR file (rui.csr) in the directory defined in the last step.
Open the rui.csr file in notepad.
Copy the contents to the clipboard.
Navigate to https://{CA}.domain.local/certsrv
Click “Request a certificate”
Click “Advanced certificate request”
Paste the contents of the clipboard into the “Base-64-ecoded certificate request…” text area.
Remove any additional blank lines
Select the “VMware Certificate” template.
Click Submit >.
Select Base 64 Encoded
Click “Download certificate chain”.
Save the certificate as cachain.p7b in the appropriate folder for the cert. (same place as rui.csr).
In Windows Explorer, navigate to the cachain.p7b file and double-click it to open in certmgr.
In certmgr, drill down to Certificate folder.
Right-click the certificate (FQDN of common name for your cert, normally the server’s FQDN (
Click All Tasks > Export…
Click Next.
Select Base-64 encoded X.509 (.CER) and click Next.
Save the cert as Root64.cer, in the same place as rui.csr.
Finish the cert export wizard.
Return to the ssl-updater tool cmdline.
Exit the CSR, returning to the main menu by pressing 9.
Press the number corresponding to the certificate. “Update xyz…”
Press the number corresponding to the SSL Certificate: “Update the XYZ SSL Certificate”
For each prompt, paste the corresponding certificate file path (tip: shift + right-click on file name and click Copy as Path. > paste contents into cmdline. For Example

Enter location to the new vCenter Orchestrator SSL chain: {path/to}/Root64.cer

Enter location to the new vCenter Orchestrator private key: {path/to}/rui.key

There may be more, depending on the certificate you’re installing.

Confirm the certificate has imported. Service may take a while to restart. It seems that you have to complete all the certificates to get vCenter working properly


Please feel free to leave a comment...