Creating CA assigned certificates for an ESXi host is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. Each server must be unique to the component as it ties to the fully qualified domain name of the server. As such you cannot just take a single certificate and apply it to all hosts. Wildcard certificates are currently not supported, but even if they were, it is much more secure to have a proper certificate for each host. There are several different work flows required for a successful implementation:
- Creating the certificate request
- Getting the certificate
- Installation and configuration of the certificate on the ESXi host
These steps must be followed to ensure successful implementation of a custom certificate for an ESXi 5.x host. Before attempting these steps ensure that:
- You have a vSphere environment.
- You have followed the steps in the below configuring SSL articles for vSphere 5.x
- You have an SSH client (such as Putty) installed
- You have a SFTP/SCP client (such as WinSCP) installed
Generating a certificate request
To generate a certificate request for an ESXi host:
- Edit the openssl.cfg file in ESXI host, If file not available then create new and edit the content as mentioned below( We can create in any /tmp/ location as well and provide path accordingly while running command) :
Note: Replace the code in Red with the details of the system requiring the SSL certificates:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vcenter, IP:10.0.0.10, DNS:vcenter.domain.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = Domain
organizationalUnitName = vCenterInventoryService
commonName = vcenter.domain.com
2.Execute the command:
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
This creates the certificate request rui.csr.
Convert the Key to be in RSA format by running this command:
openssl rsa -in rui-orig.key -out rui.key
Getting the certificate
After the certificate request is created, the certificate must be given to the certificate authority for generation of the actual certificate. The authority presents a certificate back, as well as a copy of their root certificate, if necessary. For the certificate chain to be trusted, the root certificate must be installed on the server.
Follow the appropriate section below for the steps for the certificate authority in question.
For Commercial CAs:
- Take the certificate request (rui.csr, as generated above) and send it to the authority in question.
- The authority sends back the generated certificate.
- Install the root certificate onto the vCenter server before proceeding to the Installation of the certificate section of this document.
For Microsoft CAs:
Note: For Windows Server 2003 CA's, Enterprise edition is required. Other Windows Server 2003 editions do not have the correct templates for exporting a valid SSL certificate.
- Log in to the Microsoft CA certificate authority web interface. By default, it is http://<servername>/CertSrv/
- Click Request a certificate.
- Click advanced certificate request.
- Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Open the certificate request in a plain text editor.
- Copy from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- into the Saved Request box.
- Click Web Server when selecting the Certificate Template.
- Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click Download Certificate.
- Save the certificate on the desktop of the server as rui.crt. When complete, proceed to Installing and configuring the certificate on the ESXi host to complete the configuration of the custom certificate.
For OpenSSL Self-Signed Certificates:
- Create the certificate by running this command:
openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config openssl.cfg -out rui.crt -days 3650
This command outputs the certificate as needed to proceed to the installation and configuration section of this article.
Installing and configuring the certificate on the ESXi host
After the certificate is created, complete the installation and configuration of the certificate on the ESXi 5.x host:
-
Log in to vCenter Server
-
Put the host into Maintenance Mode.
- Navigate to the console of the server to enable SSH on the ESXi 5.x host.
- Press F2 to log in to the Direct Console User Interface (DCUI).
- Click Troubleshooting options > Enable SSH.
- Log in to the host and then navigate to /etc/vmware/ssl .
- Copy the files to a backup location, such as a VMFS volume.
- Log in to the host with WinSCP and navigate to the /etc/vmware/ssl directory.
- Delete the existing rui.crt and rui.key from the directory.
- Copy the newly created rui.crt and rui.key to the directory using Text Mode or ASCII mode to avoid the issue of special characters ( ^M) appearing in the certificate file.
- Type vi rui.crt to validate that there are no extra characters.
Note: There should not be any erroneous ^M characters at the end of each line.
- Switch back to the DCUI of the host and select Troubleshooting Options > Restart Management Agents.
- When prompted press F11 to restart the agents. Wait until they are restarted.
- Press ESC several times until you logout of the DCUI.
- Exit the host from Maintenance Mode.
- Restart the host OR disconnect and reconnect the host.
Note: If the HA election fails, timeout, or waiting to join, then disconnect and reconnect all hosts from the cluster. A new election will occur using the updated SSL thumbprints.
When complete, the host is made available and successfully rejoins the cluster.
Note: If the host is a part of a View cluster, you may need to perform these steps after updating the certificates to update the vCenter database with the new certificate thumbprint:
- Log in to vCenter Server.
- Place the host into the Maintenance Mode.
- Right-click on the host and select Disconnect.
- Remove the disconnected host from the View cluster.
- Recompose the View desktop(s) again on the existing hosts in the cluster and ensure that they recompose successfully.
- Right-click on the disconnected host and select Connect.
- Add the host back to the cluster.
- Set DRS to Manual (optional).
- Recompose the desktop on the host that was recently added back into the cluster.
- If step 9 is successful, set DRS back to Automatic, if required.
If you are not running vCenter Server 5.0 U1 or later, the configuration of VMware HA fails with an error. This is due to a known issue where the new SSL thumbprint is not updated in the vCenter database for VMware HA. For more information on this error, see
After upgrading to vSphere 5, you see the HA error: vSphere HA Cannot be configured on this host because its SSL thumbprint has not been verified (2006210).
The easiest way to resolve this issue is to follow the
Alternative Workaround section of the KB article, which uses
HostReconnect.pl (attached to the article) to reconnect the servers to vCenter Server updating the expected SSL thumbprint in the vCenter Server database. When complete, run a reconfigure of vSphere HA for the configuration to proceed successfully.
The configuration of the custom certificate is now complete. Repeat these steps for each host which needs to have a custom certificate.