Virtual Geek

Tales from real IT system administrators world and non-production environment

Replacing a default ESXi certificate with a CA-Signed certificate

Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

In my above first 2 blogs, I guided on how to create and generate a self signed certificate using opensource OpenSSLtool and how you can leverage Group Policy to trust this self-signed certificate in your entire domain environment. Here in this blog I will show how you can achieve the same task but acquire certificate from Microsoft CA certificate authority server and deploy it on Esxi server. To generate create key and csr file I am using OpenSSL tool. View my previous article on how to configure OpenSSL in your environment. Open Powershell, I changed the directory to c:\temp\esxi001 where all my files will be stored, I have kept my esxi001.cnf file under same location, and contents of the file is as below, modify the options in bold as per your requirement.

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:"", DNS:"esxi001", IP:""

[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = MH
localityName = Pune
0.organizationName =
organizationalUnitName = Information Technology
commonName =

By running below command it generates 2048 bit key, I will use these files (.cnf and .key extension) in next step to generate CSR file.

openssl genrsa -out rui.key 2048
openssl req -new -key rui.key -out rui.csr -config esxi001.cnf

Microsoft Windows Powershell powercli get-childitem, openssl genrsa out rui.key 2048 new rui.csr, openssl.cnf, crt vmware esxi replace default certificate with ca cert.png

I have all my required files created and have 3 files in folder. Next step is requirement of Certificate authority server, I have here configured very basic Root CA server for lab testing purpose. Installed Active directory certificate services role with (Certification Authority and Certification Authority Web Enrollment services). It is Enterprise Root CA. To request a CA signed certificate use url http://<fqdn or IP>/certsrv. From the task click Request a Certificate

Microsoft active directory certificate services request a certificate  download a ca certificate chain or crl ca windows esxi powershell openssl certificate autority rui.crt key.png

On the next page click on Submit an advanced certificate request to proceed.

replace esxi default certificate with ca certificate certsrv rootca subordinate ca request Certificate Microsoft Active Directory Certificate Services user certificate submit advanced certificate request.png

Next choose Submit a Certificate by using a base-64-encoded CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS #7 file option.

openssl csr certificate authority submit request base-64 encoded cmc pkcs create powercli openssl esxi root certificate microsoft ca server root subordinate.png

Here open rui.csr file in notepad earlier generated using openssl. Copy all the contents and paste on Saved request: Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) Textbox as it is. (Include very first line -----BEGIN CERTIFICATE REQUEST----- and last line -----END CERTIFICATE REQUEST-----)

On the Certificate Template box select Web Server and proceed with Submit button.

microsoft active directory certificate services certsrv submit certificate request renewal request base 64 cmc pkcs 10 7 openssl template web server esxi vmware powershell rui.png

This is last step on CA server, Choose radiobutton Base 64 encoded and Download certificate, while saving it rename it with extension rui.crt. (If your environment is not ready with RootCA certificate, do one time activity --> You need to download certificate chain, and follow article to Push SSL certificates to client computers using Group Policy)

vmware vsphere esxi change certificate der encoded base 64 encoded download certificate rootca certsrv rui.crt rui.csr rui.key chain certificate openssl.png

Enable SSH service on esxi server, use WinSCP tool and upload rui.crt and rui.key to esxi folder location /etc/vmware/ssl. You can backup or rename existing files or overwrite it.

esxi powershell rui.crt rui.key upload replace vmware vsphere esxi certificate vmware ssl generate certificate openssl microsoft root certificate authority rootca subordinateca microsoft ca server.png

Run command on esxi - restart &tail -f /var/log/jumpstart-stdout.log. To take effect of new change.

esxi powershell ssh sbin restart after post esxi certificate replacement self signed esxi openssl cert generation create crt and key rui, restart esxi.png

Once you launch esxi web url in fresh browser, Certificate will show as trusted, Check the certification Path, it should be showing chain certificate with root ca certificate as parent. 

esxi server vmware vsphere rootca ca certificate autority, trusted rootca subordinate ca replace default rui.key and rui.crt on esxi server automated way replace.png

Useful Article
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices

Go Back


Blog Search

Page Views


Follow me on Blogarama