The application of custom certificates on ESXi host(s) results in the URL being marked as 'not secure'
search cancel

The application of custom certificates on ESXi host(s) results in the URL being marked as 'not secure'

book

Article ID: 394587

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Upon navigating to ESXi's IP/FQDN: https://IP_of_host, the URL display the certificate as not secure as below: 

Environment

VMware vSphere ESXi

Cause

The host address is flagged as 'Not Secure' because the generated certificate lacked a Subject Alternative Name (SAN) field itself, which is essential for browsers to validate the certificate properly.

How to Verify if the SAN Field is Missing or Present in a Certificate:

    1. Open the ESXi web client in a browser.
    2. Click on the padlock icon/settings icon in the address bar and view the certificate details.
    3. Navigate to: Certificate → Details → Look under the Extensions section.
    4. Check for the "Subject Alternative Name (SAN)" field:
        ○ If the SAN field is missing thereby missing the short name, hostname or IP of the ESXi, the certificate is not considered secure by modern browsers.
        ○ The SAN field may include:
            # Fully Qualified Domain Name (FQDN)
            # IP address
            # Short hostname (if applicable)

Common Cause for Missing SAN:

    • When the CSR (Certificate Signing Request) is generated on a Linux-based system, and the openssl.cfg file is not properly configured, the SAN field may be omitted.
    • The openssl.cfg must explicitly include SAN entries to ensure the certificate is recognized as secure.

Sample Output (openssl.cfg):

Field Name: subjectAltName = DNS:vcenter, IP:10.0.0.10, DNS:vcenter.domain.com

Resolution

The issue occurs because the SAN (Subject Alternative Name) field is missing from the openssl.cfg file. As a result, when generating a Certificate Signing Request (CSR), the certificate does not include the necessary SAN entries such as the IP address, FQDN, or short hostname—causing browsers to mark the URL as "Not Secure."

To resolve this, you can choose one of the following approaches:

  1. Modify the openssl.cfg on a Linux-based system
    Update the configuration file to include the SAN field before generating the CSR by adding the following at the end of file:

    [ req_ext ]
    subjectAltName = @alt_names

    [ alt_names ]
    DNS.1 = vcenter
    DNS.2 = vcenter.domain.com
    IP.1 = 10.0.0.10

  2. Use OpenSSL on a Windows-based system
    Generate the CSR using OpenSSL for Windows, and ensure the openssl.cfg is correctly updated with SAN details.
    Follow the Windows OpenSSL configuration steps here: https://knowledge.broadcom.com/external/article/344117

Additional Information

Powered by Wolken Software