ESXi -Generate Self-signed Certificate using Open SSL and Certificate Authority

Loading

This post assumes you have an Active directory CA installed and web enrollment working as we will need it to complete the exercise

Generating a certificate key using OpenSSL

Download and install OpenSSL

Go to C:\Program Files\OpenSSL-Win64\bin and open openssl.cfg

Delete everything from this file and replace it as shown below

Here is my sample file, you will need copy this file as such and edit all the highlighted sections with your server info

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:sfo01-m01-esx02, IP:172.16.11.102, DNS:sfo01-m01-esx02.ash.local

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Palo Alto
0.organizationName = ash.local
organizationalUnitName = computers

commonName = sfo01-m01-esx02.ash.local

To generate a certificate request key for an ESXi server using OpenSSL

Go to C:\Program Files\OpenSSL-Win64\bin and run the command to create the keys

openssl req -new -nodes -out rui.crt -keyout rui-orig.key -config openssl.cfg 

To get the key in an RSA format, input the below command

openssl req -new -nodes -out rui.crt -keyout rui-orig.key -config openssl.cfg 

The output from the above command produces 2 files as shown.

Generating a certificate from Central CA dc.ash.local

Go to chrome browser and browse to your web enrollment page as shown

http://localhost/certsrv/

Click Request certificate

Submit an advanced certificate request.

Open the file C:\Program Files\OpenSSL-Win64\bin\rui.cert using notepad and paste the contents of notepad into saved request tab as shown

Click Download Certificate

Now we will be having two files – first one, the CA generated by dc1.ash.local & second, the key generated by Open SSL

Installing the Certificate on ESX

We will be copying these two files onto the /etc/vmware/ssl path on esx server to replace the certificates

Establish an ssh session to the esx host and navigate to /etc/vmware/ssl directory

The two files we are interested in are rui.crt and rui.key.

[root@sfo01-m01-esx02:~] ls -ltr /etc/vmware/ssl/rui*


-r——– 1 root root 1704 Apr 21 17:23 /etc/vmware/ssl/rui.key
-rw-r–r– 1 root root 1411 Apr 21 17:23 /etc/vmware/ssl/rui.crt
[root@sfo01-m01-esx02:~]

Regenerate a New Certificate on esx

In this exercise we will just overwrite the rui.crt and rui.key available on esx host with the files we prepared

Rename the file certnew in the above picture to rui.crt and rui-orig.key to rui.key and copy these two files into a new folder

I’ve copied the files to a new folder

Overwrite rui.crt and rui.key on the esx from files our desktop to esx server using scp or filezila

During this copy, there is a chance that special characters could be added to the file rui.crt

Open rui.crt using vi editor as shown

Delete everything in file

Open rui.crt from our desktop in notepad and copy all contents to vi editor as shown

Restart hostd and vpxa services by executing the following command:

/etc/init.d/hostd restart && /etc/init.d/vpxa restart 
watchdog-hostd: Terminating watchdog process with PID 1050267
hostd stopped.
hostd started.
watchdog-vpxa: Terminating watchdog process with PID 1050602
vpxa stopped.
vpxa started.
[root@sfo01-m01-esx02:/etc/vmware/ssl]

Restart the host

reboot

At this stage you would expect vCF to pass validation but most likely it wont as you still will get the same error as shown above

Adding to Trust Root Certificate

There is one more step we need to do now to ensure the certificate we generated using OpenSSL is trusted by our Trust Root Certificate and this happens as below.

To fix that, we go back to the rui.crt and clck install certificate as shown

Place the certficate into Trusted Root Cert

Finish the wizard

Click Ok to finish

Now our certificate is valid and trusted.

(Visited 200 times, 1 visits today)

By Ash Thomas

Ash Thomas is a seasoned IT professional with extensive experience as a technical expert, complemented by a keen interest in blockchain technology.

Leave a Reply