Replacing Esxi 6 SSL Certificates


In our last post Replacing vSphere 6 SSL Certificates we learned how to replace Machine certificates and VMCA root certificates. In this post we will learn how to replace Esxi default ssl certificates with certificates signed by CA server.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

ESXi host uses default certificates that are created during installation. These certificates are not verifiable and are not signed by a trusted certificate authority. If using default certificates do not fall under security policy of your organization, then you need the self-signed certificates from your CA server.

Note: ESXi hosts that are upgraded from vSphere 5.x to vSphere 6.0 will continue using their Certificate Authority signed certificates if they were replaced in the previous versions. However, ESXi 5.x hosts that were running self-signed certificates and then upgraded to vSphere 6.0 will have their certificates regenerated using VMware-signed.

We will be using openssl to create the self-signed certificates and then send them over to our CA server to sign them. Instructions for configuring openssl is described Here

The steps for replacing SSL certificates on Esxi hosts are as follows:

1: Configure openssl.cfg file

openssl.cfg file is located in C:\OpenSSL\bin directory. Make a backup of this file and edit the following fields in this file:


[ req_distinguished_name ]
countryName = IN
countryName_default = IN
stateOrProvinceName = Karnataka
stateOrProvinceName_default = Karnataka
localityName = Bangalore
0.organizationName = Alex.Co
0.organizationName_default = Alex.Co
organizationalUnitName = Cloud
commonName = vcentersrv01.alex.local
emailAddress = vcadmin@alex.com

2: Generate csr and key file by executing below command

Note: Create a directory before generating the cert files and navigate to that directory so that the below command will generate the certs in the present directory created.

openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config C:\OpenSSL\bin\openssl.cfg

esxi-1

3: Convert the generated key in RSA format

openssl rsa -in rui-orig.key -out rui.key

esxi-2

Verify that rui.csr and rui.key files are generated. Copy rui.csr file to your CA server.

4: Generate a signed certificate.

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Click Web Server when selecting the Certificate Template and click Submit to submit the request.
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.

esxi-3

save the certificate file as Esxi01.cer

5: Convert Esxi01.cer file format

ESXi hosts requires X.509 based certificate, so change the format of certificate file using the command below:

# openssl x509 -in Esxi01.cer -out Esxi_01.crt

6: Replace Esxi host old certificates with new certificates

Enable SSH on your Esxi host and place the host into Maintenance Mode. Navigate to /etc/vmware/ssl directory and move rui.crt and rui.key file to another location say for e.g. /tmp/oldcerts

Transfer the Esxi_01.crt file generated in step 5 and rui.key file generated in step 3 on your Esxi host using WinSCP using Text Mode or ASCII mode to avoid the issue of special characters.

Now restart management agent or reboot the host for new certificates to take effect.

Remove host out of Maintenance mode.

Now if you connect to the Esxi host directly from vSphere Client, it will prompt you to accept the new certificate. If you open the properties of this new certificate, you will see that it has been issued by your CA server

esxi-5

In my case the Esxi host got disconnected from vCenter Server after replacing the certs. restarting management agents did not fixed the issue for me. All I did was just rebooted the host and it connected automatically without any issues

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in SSL Certficates, Vmware. Bookmark the permalink.

3 Responses to Replacing Esxi 6 SSL Certificates

  1. Pingback: Replacing vSphere 6 Solution user certificates with CA signed certificates | Virtual Reality

  2. Pingback: Newsletter: June 25, 2016 | Notes from MWhite

  3. Pingback: Learning NSX-Part-11-Replacing NSX default SSL Certficates with CA Signed Certificates | Virtual Reality

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s