On a Stateless ESXi host provisioned with Auto Deploy, Customized SSL Certificates and keys are not saved by default
search cancel

On a Stateless ESXi host provisioned with Auto Deploy, Customized SSL Certificates and keys are not saved by default

book

Article ID: 310182

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Auto Deploy generates and caches SSL certificates and keys for ESXi hosts provisioned with Auto Deploy. If you customize SSL certificates and keys, either via SSH or through the vifs command, the ESXi host does not cache the user-supplied SSL certificates and keys.

On reboot, customized SSL certificates and keys are lost.


Environment

VMware vCenter Server 5.x
VMware vSphere ESXi 5.x

Resolution

Changing the vCenter Server Appliance host certificates for Auto Deploy:
  1. Power on the ESXi host that you want to add custom certificates to. If needed add the host into vCenter Server, otherwise wait until it is loaded into the vCenter Server inventory.
  2. Reboot the host and wait for it to join vCenter again. This moves the certificates in to the respective host (host-moId) directory.
  3. Navigate to /var/lib/rbd/ssl/<host-moId>/.

    Note: To verify the certificate is for the correct host, enter openssl x509 -in rui.crt -text -noout in the directory of the certificate and confirm the information is correct.

  1. Change the the respective 'rui.key' and 'rui.crt' files in the <host-moId> directory with the desired key and certificate.
  2. Reboot the ESXi host to verify the certificates are retained.
  3. Further reboots of the host ensures that the host has the above replaced certificates.
 
Changing the vCenter Server host certificates for Auto Deploy:
 
  1. Power on the ESXi host that you want to add custom certificates to. If needed add the host into vCenter Server otherwise wait until it is loaded into the vCenter Server inventory.
  2. Reboot the host and wait for it to join vCenter again. This moves the certificates in to the respective host (host-moId) directory.
  3. Navigate to <AutoDeploy Install Directory>/ssl/<host-moId>/rui.key and rui.crt.

    Note: To verify the host is correct, open the .crt file and under the details verify the information is for the correct host.

  1. Change the the respective 'rui.key' and 'rui.crt' files in the <host-moId> directory with the desired key and certificate.
  2. Reboot the ESXi host to verify the certificates are retained.

    Note: Reboots of the host ensures that the host has the above replaced certificates.

 

Powered by Wolken Software