Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
In my above first 2 blogs, I guided on how to create and generate a self signed certificate using opensource OpenSSLtool and how you can leverage Group Policy to trust this self-signed certificate in your entire domain environment. Here in this blog I will show how you can achieve the same task but acquire certificate from Microsoft CA certificate authority server and deploy it on Esxi server. To generate create key and csr file I am using OpenSSL tool. View my previous article on how to configure OpenSSL in your environment. Open Powershell, I changed the directory to c:\temp\esxi001 where all my files will be stored, I have kept my esxi001.cnf file under same location, and contents of the file is as below, modify the options in bold as per your requirement.
[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:"esxi001.vcloud-lab.com", DNS:"esxi001", IP:"192.168.34.21"
[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = MH
localityName = Pune
0.organizationName = vcloud-lab.com
organizationalUnitName = Information Technology
commonName = esxi001.vcloud-lab.com
By running below command it generates 2048 bit key, I will use these files (.cnf and .key extension) in next step to generate CSR file.
openssl genrsa -out rui.key 2048
openssl req -new -key rui.key -out rui.csr -config esxi001.cnf
I have all my required files created and have 3 files in folder. Next step is requirement of Certificate authority server, I have here configured very basic Root CA server for lab testing purpose. Installed Active directory certificate services role with (Certification Authority and Certification Authority Web Enrollment services). It is Enterprise Root CA. To request a CA signed certificate use url http://<fqdn or IP>/certsrv. From the task click Request a Certificate.
On the next page click on Submit an advanced certificate request to proceed.
Next choose Submit a Certificate by using a base-64-encoded CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS #7 file option.
Here open rui.csr file in notepad earlier generated using openssl. Copy all the contents and paste on Saved request: Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) Textbox as it is. (Include very first line -----BEGIN CERTIFICATE REQUEST----- and last line -----END CERTIFICATE REQUEST-----)
On the Certificate Template box select Web Server and proceed with Submit button.
This is last step on CA server, Choose radiobutton Base 64 encoded and Download certificate, while saving it rename it with extension rui.crt. (If your environment is not ready with RootCA certificate, do one time activity --> You need to download certificate chain, and follow article to Push SSL certificates to client computers using Group Policy)
Enable SSH service on esxi server, use WinSCP tool and upload rui.crt and rui.key to esxi folder location /etc/vmware/ssl. You can backup or rename existing files or overwrite it.
Run command on esxi - services.sh restart &tail -f /var/log/jumpstart-stdout.log. To take effect of new change.
Once you launch esxi web url in fresh browser, Certificate will show as trusted, Check the certification Path, it should be showing chain certificate with root ca certificate as parent.
Useful Article
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices