Where is the private key when using certificate-manager's web UI?

My old vCenter crashed and I'm trying to add custom certificates on the new one however when I complete the CSR generation on the web UI there are just two options, copy and download.

Copy does what it says, copies the CSR to the clipboard and download downloads it, just the CSR, no private key. The CSR, naturally, is enough to get the signed certificate but at import time I have no private key to match and thus it won't accept the certificate.

How can I get a hold of the private key? Why after so many iterations can't VMware get it right--I mean, vCenter is really expensive, you sort of expect it to be flawless. What's the point of the web UI if you still have to hunt down files in the CLI. I tried using this wildcard certificate I'm using in several places but it won't accept it, I assume it's because it doesn't explicitly has the hostname.

I looked it up (the private key) on /usr/lib/vmware-vmca/bin already expecting it not to be there, and surely it wasn't. I went to /tmp and looked up anything with today's timestamp (/tmp/jna-root) but it was empty. The rest on /tmp are .part files.

Anyway, I appreciate your help on this -- and thanks !

Tags (2)
1 Reply

It is actually an issue now with hmtl5..

For now, you can access the VCSA using ssh and get the key using the command below

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CSR