How to Replace Default VMware ESXi SSL Certificate?
To improve security in your virtualized environment, it is advisable to use the signed certificates because a ‘self-signed’ certificate will not be trusted by default in its communications with other systems.
ESXi host uses default certificates that are created during installation. These certificates are not verifiable and are not signed by a trusted certificate authority.
How to Replace VMware ESXi Certificate
Join ESXi to Domain
In the first step, connect the hosts to the domain. To join that you can do it through ESXi Host Client.
Step 01. For example, enter ESXi Host Client and in the Manage menu select the Security tab and then click on the Join Domain option.
Step 02. In this view fill in all requirements based on your infrastructure environment and on the end click on Join Domain.
Step 03. After a few minutes, ESXi Host joined Domain and you can see this view.
Prepare OpenSSL File
We will be using OpenSSL to create the self-signed certificates and then send them over to our CA server to sign them. So at the first, we must config the OpenSSL file to proportion our ESXi server.
Step 01. Download OpenSSL from this Link.
Step 02. Install OpenSSL, then go to the installed address and take a copy of the ‘openssl.cfg’ file as a Backup keeps in another location.
Step 03. Open the ‘openssl.cfg’ file with Notepad Erase all content and write the below Example proportion to your ESX Host then Save that.
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:host01, IP:172.16.160.21, DNS:host01.vtechsummary.local [ req_distinguished_name ] countryName = IR stateOrProvinceName = TEH localityName = TEH 0.organizationName = vTechSummary.com organizationalUnitName = IT commonName = host01.vtechsummary.local
Step 04. Open Command Prompt or PowerShell and use the below command to create a CSR request.
cd c:/Program Files/OpenSSL-Win64/bin openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
When you run the above command, automatically three below files will be created.
Take a Certificate from CA Server
Step 01. Login to CA Server and proceed with Certificate Request as follow:
Step 02. Open ‘ rui.csr ‘ file and Copy all content in the Saved Request box. then select Web Service as a certification template and click on Submit.
Step 03. Select Based-64 Encoded option then Download the Certificate. After downloading rename the file to ‘ runi.crt ‘.
Replace the SSL Certificate
Step 01. Enable ESXi SSH service.
Step 02. Through the WinSCP or other software login to the ESXi Host.
Step 03. GO to the ‘ /etc/vmware/ssl ‘ address and Copy the below files on the ESXi.
Step 04. Through the Putty connect to ESXi and run the below command.
Finally, after finishing the services restart, when you want to login to ESXi through the browser you can see, ESXi Certificate replaced and now that is Valid.