Replace machine certificate with CA signed certificate on vCenter Appliance 6.5 with embedded PSC without using the vSphere Certificate Manager Utility in a shell script

replaceCertificateEmbeddedPSC.sh

#!/bin/bash
#
# In the local directory 3 files are required
#    new_cert.crt - new machine certificate
#    new_cert.key - private key for certificate
#    intermediary.crt - certificate chain of the signing authority for new_cert.crt
#
# Run commands on the vCSA shell:

# import intermediary authority cert:
# Credentials for this dir-cli is an sso admin
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert intermediary.crt --login administrator@vsphere.local --password 'Password'
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

# get current machine cert 
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output original.crt

# get thumbprint of this cert (needed for a later step): 
/usr/bin/openssl x509 -in original.crt -noout -sha1 -fingerprint | /usr/bin/cut -d= -f 2 > original.thumb

# replace machine cert
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new_cert.crt --key new_cert.key

# update service endpoints (required thumbprint of old certificate):
# Credentials for ls_update_certs.py is an sso admin
/usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url https://localhost/lookupservice/sdk --fingerprint $(cat original.thumb2) --certfile new_cert.crt --user administrator@vsphere.local --password 'Password'

# Cleanup original cert:
rm original.crt
rm original.thumb