Replacing Esxi 6 SSL Certificates

In our last post Replacing vSphere 6 SSL Certificates we learned how to replace Machine certificates and VMCA root certificates. In this post we will learn how to replace Esxi default ssl certificates with certificates signed by CA server.

If you have missed earlier posts of this series, then you can read them from below links

1: Setup CA Server for vSphere Lab

2: Set Up Automatic Certificate Enrollment

3: Request Internal Certificate from CA Server

4: Everything You Should Know About Certificate Management in vSphere 6

5: Replacing vSphere 6 SSL Certificates

ESXi host uses default certificates that are created during installation. These certificates are not verifiable and are not signed by a trusted certificate authority. If using default certificates do not fall under security policy of your organization, then you need the self-signed certificates from your CA server.

Note: ESXi hosts that are upgraded from vSphere 5.x to vSphere 6.0 will continue using their Certificate Authority signed certificates if they were replaced in the previous versions. However, ESXi 5.x hosts that were running self-signed certificates and then upgraded to vSphere 6.0 will have their certificates regenerated using VMware-signed.

We will be using openssl to create the self-signed certificates and then send them over to our CA server to sign them. Instructions for configuring openssl is described Here

The steps for replacing SSL certificates on Esxi hosts are as follows:

1: Configure openssl.cfg file

openssl.cfg file is located in C:OpenSSLbin directory. Make a backup of this file and edit the following fields in this file:

[ req_distinguished_name ]
countryName = IN
countryName_default = IN
stateOrProvinceName = Karnataka
stateOrProvinceName_default = Karnataka
localityName = Bangalore
0.organizationName = Alex.Co
0.organizationName_default = Alex.Co
organizationalUnitName = Cloud
commonName = vcentersrv01.alex.local
emailAddress = vcadmin@alex.com

2: Generate csr and key file by executing below command

Note: Create a directory before generating the cert files and navigate to that directory so that the below command will generate the certs in the present directory created.

# openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config C:OpenSSLbinopenssl.cfg

esxi-1

3: Convert the generated key in RSA format

openssl rsa -in rui-orig.key -out rui.key

esxi-2

Verify that rui.csr and rui.key files are generated. Copy rui.csr file to your CA server.

4: Generate a signed certificate.

  • Launch certificate authority web interface ( http://<servername>/CertSrv/)
  • Click Request a certificate > Advanced certificate request.
  • Open the certificate request in a plain text editor and copy the contents of tis file including —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– lines into the Saved Request box.
  • Click Web Server when selecting the Certificate Template and click Submit to submit the request.
  • Click Base 64 encoded on the Certificate issued screen and click Download Certificate.

esxi-3

save the certificate file as Esxi01.cer

5: Convert Esxi01.cer file format

ESXi hosts requires X.509 based certificate, so change the format of certificate file using the command below:

# openssl x509 -in Esxi01.cer -out Esxi_01.crt

6: Replace Esxi host old certificates with new certificates

Enable SSH on your Esxi host and place the host into Maintenance Mode. Navigate to /etc/vmware/ssl directory and move rui.crt and rui.key file to another location say for e.g. /tmp/oldcerts

Transfer the Esxi_01.crt file generated in step 5 and rui.key file generated in step 3 on your Esxi host using WinSCP using Text Mode or ASCII mode to avoid the issue of special characters.

Now restart management agent or reboot the host for new certificates to take effect.

Remove host out of Maintenance mode.

Now if you connect to the Esxi host directly from vSphere Client, it will prompt you to accept the new certificate. If you open the properties of this new certificate, you will see that it has been issued by your CA server

esxi-5

In my case the Esxi host got disconnected from vCenter Server after replacing the certs. restarting management agents did not fixed the issue for me. All I did was just rebooted the host and it connected automatically without any issues

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)