How to modify the SAN field on ESXi host self-signed SSL certificate
Article ID: 373323
Updated On:
Products
VMware vSphere ESXi
VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0
Issue/Introduction
This is an informational KB article to modify the Subject Alternative Name (SAN) fields on ESXi host self-signed SSL certificate.
Environment
VMware vSphere ESXi
Resolution
Modify the SSL certificate SAN field as follows:
NOTE: "generate-certificates" file cannot be edited directly. Hence taking a copy of the file, making required changes and then replacing it with the actual file using the copy command.
- SSH to the ESXi host.
- Run the command:
vsish -e set /config/VisorFS/intOpts/VisorFSPristineTardisk 0 - Take a copy of "generate-certificates" file under /usr/sbin as follows:
#cd /usr/sbin#cp generate-certificates generate-certificates-bkp
- Make required changes of SAN field in "generate-certificates-bkp" file using the vi file editor:
- vi generate-certificates-bkp
- Edit SAN field to required entries as follows:
- Example: DNS:esxxx1.xxxx.xxg,DNS:192.X.X.X,DNS:esxi1 (FQDN, IP, short name of ESXi)
- Edit SAN field to required entries as follows:
- vi generate-certificates-bkp
- Replace the backup file with the original file:
#cp generate-certificates-bkp generate-certificates
- Regenerate the self-signed certificate by executing the following command:
/sbin/generate-certificates
- Restart the hostd and vpxa services by executing the following command:
/etc/init.d/hostd restart && /etc/init.d/vpxa restart
Feedback
Yes
No
Powered by
