Search the VMware Knowledge Base (KB)
View by Article ID

Replacing the SSL certificate in vCenter Server Heartbeat with a new certificate (2013041)

  • 6 Ratings


This article provides steps to change the current SSL certificate on vCenter Server Heartbeat to use a new certificate.


  • All instances of password represent the default password.
  • If you intend using a non-default password, you must edit the Server.xml file and update the existing keystorePass=password entry and change it to reflect the non-default password used.

  • The Server.xml file is located at %Program Files\VMware\VMware vCenter Server Heartbeat\tomcat\apache-tomcat-6.0.32\conf.
  • Changing the password of the certificate for vCenter Server can cause problems with the vCenter Server Heartbeat plugin.
  • All file paths are assumed to be the default installation file paths. 

To change the current SSL certificate in vCenter Server Heartbeat:
  1. Navigate to Start > Run and open the Registry Editor.

  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Prefs\nfwebsvcs\management\nfwebsvc.

  3. Change the value of use_hbws_keystore from TRUE to FALSE and save your changes.

  4. From the Service Control Manager, restart the VMware vCenter Server Heartbeat WebService.

  5. Create the new keystore in a temporary location and enter the certificate details:

    keytool -genkey -alias nfhb_private_certificate -keyalg RSA -keysize 2048 -keystore NFKeyStore.jks -storepass password

    Note: The keytool utility is located at C:\Program Files\VMware\VMware vCenter Server Heartbeat\R2\jre\bin.

  6. Create a Certificate Signing Request (CSR).
    • For MD5:

      keytool -certreq -alias nfhb_private_certificate -sigalg MD5withRSA –file NFKeyStore.csr -keystore NFKeyStore.jks -keypass password -storepass password

    • For SHA1:

      keytool -certreq -alias nfhb_private_certificate -sigalg SHA1withRSA –file NFKeyStore.csr -keystore NFKeyStore.jks -keypass password -storepass password

  7. Submit the CSR to the Certification Authority (CA).

  8. Save the received certificate as certnew.p7b.

  9. Import the received certificate to the JAVA keystore:

    keytool -import -alias nfhb_private_certificate -keystore NFKeyStore.jks -trustcacerts -storepass password -file certnew.p7b

    For vCenter Server Heartbeat 6.6:

    Import the CA Chain:

    keytool -import -alias nfhb_private_certificate -keystore NFKeyStore1.jks -trustcacerts -storepass D32g9Z17aB -file certnew.p7b

    Import the Service Chain:

    keytool -import -alias nfhb_private_certificate -keystore NFKeyStore1.jks -trustcacerts -storepass D32g9Z17aB -file certnewroot.p7b

  10. Verify the imported data from the Java keystore:

    keytool -list -v -keystore NFKeyStore.jks -storepass password

  11. Stop the TOMCAT instance used by the vCenter Server Heartbeat WEB management (nfwebsvc) using the command:

    net stop nfwebsvc

  12. Create a backup of the currently used keystore:

    cd "C:\Program Files\VMware\VMware vCenter Server Heartbeat\tomcat\ssl" ren NFKeyStore.jks NFKeyStore.jks.bak

  13. Copy the keystore from the temporary location:

    xcopy "C:\Program Files\VMware\VMware vCenter Server Heartbeat\R2\jre\bin\NFKeyStore.jks" "C:\Program Files\VMware\VMware vCenter Server Heartbeat\tomcat\ssl"

  14. Start the TOMCAT instance used by the vCenter Server Heartbeat WEB management (nfwebsvc) using the command:

    net start nfwebsvc

Additional Information


Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 6 Ratings