To improve security in your virtualized environment, it is advisable to use the signed certificates because ‘self-signed’ certificate will not be trusted by default in it’s communications with other systems. There are various ways to deploy signed certificates on your Esxi hosts and in this post we will look at available options.
Refreshing Esxi Certificates
If you have updated the certificate information and want to push those changes to certificate installed on Esxi host, the simplest method is to do a refresh certificate. Lets understand this by an example.
Suppose this is the current configuration of the vCenter certificate where country name is US and Org Unit is “VMware Engineering”
Now suppose you have updated the various configuration value for your vCenter certificate as shown below
Now if you select the Esxi host and navigate to Manage > Settings > Certificates, you will see it still contains the old information i.e country name is still US and OU is still VMware Engineering.
In order for changes made earlier to appear in Esxi certificate, we need to click on Renew button and hit yes.
And you will see the changes appearing in host certificate immediately.
Renewing Esxi Certificate
If you have your VMCA configured as subordinate CA and you have already replaced VMCA root certificates, you can force sync the CA issued certs on Esxi host by clicking on “Refresh CA Certificates”
In this screenshot, you can see the cert validity is 5 years and cert issuer is VMware.
In my lab, my CA server is signing certs with only 2 years validity.
Now If I click on refresh CA certificates and press yes to continue, it will push all certificates from the TRUSTED_ROOTS store in the VECS to the host.
I can immediately see issuer of certificate changed to CA and also validity reduced to 2 years
Note: If the Esxi host certificate is already expired, you can simply disconnect and remove the host from inventory, then reconnect it. vCenter Server will renew the certificate of a host added to inventory if the certificate is expired.
Re-generating new self-signed ESXi Server Certificate
If the Esxi host certificate is expired, compromised or configured with incorrect date, you can re-generate them by following below steps:
1: Enable SSH on ESXi Server, then put the ESXi Server into the maintenance mode.
2: SSH to Esxi host and rename the certificate file and private key file.
<span style="color: #000000;"><em>[root@esxi04:/etc/vmware/ssl] mv rui.crt rui.crt.bkp</em></span>
<span style="color: #000000;"><em>[root@esxi04:/etc/vmware/ssl] mv rui.key rui.key.bkp</em></span>
3: Regenerate a new certificate using /sbin/generate-certificates command and verity that the new certificate file and private key file are generated.
<em><span style="color: #000000;">[root@esxi04:/etc/vmware/ssl] /sbin/generate-certificates</span></em>
<em><span style="color: #000000;">[root@esxi04:/etc/vmware/ssl] ls -l</span></em>
<em><span style="color: #000000;">total 24</span></em>
<em><span style="color: #000000;">-rw-r--r-- 1 root root 1415 Nov 5 14:10 rui.crt</span></em>
<em><span style="color: #000000;">-rw-r--r-- 1 root root 1403 Nov 5 06:06 rui.crt.bkp</span></em>
<em><span style="color: #000000;">-r-------- 1 root root 1704 Nov 5 14:10 rui.key</span></em>
<em><span style="color: #000000;">-r-------- 1 root root 1708 Nov 5 06:06 rui.key.bkp</span></em>
4: Restart ESXi Server management agent via by firing command /sbin/services.sh restart or reboot the host.
5: ESXi host will now have a new self-signed certificate.
Replacing ESXi Server Certificate with CA signed Certificate
I am not covering steps for this as I already wrote a blog post on this in past. You can read it from here
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable