How to modify the SAN field on ESXi host self-signed SSL certificate
search cancel

How to modify the SAN field on ESXi host self-signed SSL certificate

book

Article ID: 373323

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0

Issue/Introduction

This is an informational KB article to modify the Subject Alternative Name (SAN) fields on ESXi host self-signed SSL certificate.

Environment

VMware vSphere ESXi 

Resolution

Modify the SSL certificate SAN field as follows:

NOTE: "generate-certificates" file cannot be edited directly. Hence taking a copy of the file, making required changes and then replacing it with the actual file using the copy command.

  • SSH to the ESXi host.

  • Run the command: vsish -e set /config/VisorFS/intOpts/VisorFSPristineTardisk 0

  • Take a copy of "generate-certificates" file under /usr/sbin as follows:
    • #cd /usr/sbin
    • #cp generate-certificates generate-certificates-bkp

  • Make required changes of SAN field in "generate-certificates-bkp" file using the vi file editor:
    • vi generate-certificates-bkp
      • Edit SAN field to required entries as follows:
        • Example: DNS:esxxx1.xxxx.xxg,DNS:192.X.X.X,DNS:esxi1 (FQDN, IP, short name of ESXi)
  • Replace the backup file with the original file:
    • #cp generate-certificates-bkp generate-certificates
  • Regenerate the self-signed certificate by executing the following command:
    • /sbin/generate-certificates

  • Restart the hostd and vpxa services by executing the following command:
    • /etc/init.d/hostd restart && /etc/init.d/vpxa restart