26 Apr How to Replace ESXi SSL Certificates with Internal CA Certs

Posted at 12:04h in Certificates, ESXi by

Improve security and eliminate browser warnings by replacing self-signed SSL certificates on your ESXi hosts with internal CA certificates.  Let’s walk through the process step-by-step. Not only will you get rid of that ugly warning in your browser, but it’s sure to make your IA team happy.

Prerequisites

  • This walkthrough targets vSphere 7.x/8.x environments that use an internal CA. If you are using certificates supplied by an external CA, the CSR process will differ, and you can skip to “Installing the Certificate on the Host”.
  • OpenSSL installed and configured. See Broadcom KB.
  • A server with CA role installed and configured.
  • You have the proper CA Template. If not you can see my guide to creating an SSL Template HERE.  Or this Broadcom KB.
  • You have an SSH client, i.e. Putty and an FTP client, i.e. WinSCP.
  • Enable ESXi Shell and Enable SSH on your host. Change these settings back when you finish to keep your environment secure.

Generate a CSR

There are a few ways you can set up OpenSSL, in my lab I’m running it directly from my PC. In a production environment you would run this from an Admin PC or directly on a server. I’ve also set up my openssl.cfg file with the specifics of the host I’m working on.  For additional host I’ll update the cfg file with the relevant information for each host.  Here’s an example of what my openssl.cfg file looks like for the host I’m working on.  In your environment, you’ll want to change everything in a red box accordingly.

You can copy this and edit as needed.

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:ESXi104, IP:10.0.10.104, DNS:ESXi104.nested.local

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = AL
localityName = Mobile
0.organizationName = ChrisAllenPope.com
organizationalUnitName = Lab
commonName = ESXi104.nested.local

With your cfg file setup correctly, open an elevated command prompt on your PC, change directories to where OpenSSL.exe is at (In my case it’s C:\Program Files\OpenSSL-Win64\bin) and run:

openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg

If it worked, you would see something like the screenshot below otherwise it will give you error codes if there is anything in the cfg file it doesn’t like.

You’ll also notice two new files in the /bin folder of OpenSSL.

Now we need to convert the key to RSA format, so run:

openssl rsa -in rui-orig.key -out rui.key

You should see “writing RSA key” in the command prompt window and if you check file explorer you will see the new file there called rui.key.

Requesting the Certificate

This is a good time to mention staying organized, specifically when working with multiple hosts.  I like to create a folder named Certs and, in that folder, make sub-folders for each host.  Inside the folder for each host make another folder named Original.  Now you have a folder for these new rui files and a folder for the original rui files that we will copy off the host in a future step.  Go ahead and copy the rui.csr and rui.key files out of the \bin folder and place them into the folder for the host you are working on.

For an external CA you will send them the .csr file and they send you back your cert.  For those using an internal CA we can head over to our CA web portal at http://servername/CertSrv/.  I’m going to assume most of us are familiar with requesting certs from the web portal, so I’ll limit the screen shots here and focus on the steps.

  • Click on Request a certificate, then click advanced certificate request.
  • Open your .csr file with a text editor and copy everything but make sure to not include any extra spaces at the beginning or end. Paste this into the Saved Request:
  • Under Certificate Template, change this to your preconfigured VMware SSL template, if you need to add any additional attributes do so here then click Submit>.
  • Select Base 64 encoded then click on Download certificate.
  • Open the folder where the cert downloads, rename it to rui.crt (click Yes when prompted to change the file extension), and move it into the host’s folder you’re working on. At this point you will have three files in this folder, rui.csrrui.crt, and rui.key.

Installing the Certificate on the Host

If you’re working with fresh, stand-alone hosts, you’re good to go. But if vCenter already manages them, will manage them, or they’re part of a vSAN cluster, you need to complete a few extra steps first. First, we need to enable custom certificate mode in vCenter otherwise VMCA will replace your self-signed certificates on your host.  To enable custom mode, select your vCenter server > Configure>Advanced Settings>Edit Settings.  Find vpxd.certmgmt.mode and change it to custom then click Save.

If vCenter isn’t managing your host yet, skip to Step 2.

First, we need to place the host in maintenance mode, then disconnect it from the cluster.

  • In vCenter, right-click the host, Maintenance Mode>Enter Maintenance Mode.
  • Then right-click the host again, Connection>Disconnect.

After disconnecting the host from vCenter, SSH into it and run the following command to back up castore.pem.

cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.bak

Now we’re going to switch over to our SFTP client and upload our certificate chain (root and intermediate), in my case I only have the root CA certificate, but the process is the same.

In WinSCP navigate to etc/vmware/ssl and upload your chain into this folder.



Back in our Putty session we need to change directories to the ssl folder using this command.

cd /etc/vmware/ssl

Then run the following command to append our root to the castore.pem file (change the name of the .cer file to match what you uploaded to your host).

cat AD222-Root.cer >> castore.pem

Back in WinSCP, we need to copy the original crt and rui.key files. This is where the Original folder I made will come into play.

Select the original files from the Host and drag them over to your PC to save a copy of them.



Now we need to move our new crt and rui.key onto the host.

Highlight both files and drag them over to the ssl folder on the host. The system will prompt you to confirm overwriting the files—select Yes for both..



After you upload the new certs, run this command to ensure the changes persist.

/sbin/auto-backup.sh

You’ll see output like this.


Type reboot in your ssh session to reboot the host.

Now when you log into the host’s web interface, you see a secure connection, confirming that the system applied the new certificate.



Next we need to reconnect the host to vCenter and take it out of maintenance mode.

  • Right-click the host, go to Connection and click on Connect, then click to confirm.
  • After it reconnects, take it out of maintenance mode.

Now our host has an updated internal CA cert. I realize my walkthrough had some particulars that may not always apply in every case.  However, this is a standard way of replacing or updating the certs on an ESXi host.  Once you do it a couple of times, you’ll often spend more time waiting for the host to enter maintenance mode than all the other steps combined.

Tags:
, , , , ,
Print page
1 Like
Chris Pope
[email protected]

Certified Senior Virtualization Engineer with over 13 years of experience designing, deploying, and optimizing VMware and Omnissa environments across secure DoD and NATO systems. Adept at streamlining hybrid cloud operations, executing complex P2V migrations, and enhancing disaster recovery. Skilled communicator who simplifies complex technology for users and teams.

No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.