vCenter 6.5 – Machine_SSL Certificate with multiple DNS Names

Please note that you should not use this workaround in production.

From time to time it is needed to have multiple DNS Names in your Certificate.

First, create a File called machine_ssl.cfg on your vCenter.

default_bits = 2048
prompt = no
encrypt_key = no
default_keyfile = machine_ssl.key
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
subjectKeyIdentifier = hash
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

[ alt_names ]
email.1 =
DNS.1 = vcsa.benslab.local
DNS.2 = vcsa.test.local
DNS.3 = vcsa.home.lab

Now as we have the configuration file we need to create the Certificate Signing Request.

 openssl req -new -config machine_ssl.cfg -out machine_ssl.csr

This CSR needs to be signed by the CA and the Machine_SSL Cert can be replaced.
If you just want to use the VMCA to sign the Certificate you may find this KB useful.


One thought on “vCenter 6.5 – Machine_SSL Certificate with multiple DNS Names

  1. Nice one for the article Benedikt. Ran through the process on a VCSA 6.5 U1 machine and it worked brilliantly. We had a CNAME record, now both it and the VC FQDN are showing as being secure


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s