You can replace the default self-signed ESXi and VCenter SSL certificate from CLI. First of all you should get an SSL certificate file and also a key file. You need to upload them under a directory from the VCenter server.
Step 1: Check your certificate file
The certificate file must contain intermediate and also root CA certificates. I added a simple example of the certificate file below.
-----BEGIN CERTIFICATE----- MIIFxTCCBK2gAwIBAgIKYaLJSgAAAAAAITANBgkqhkiG9w0BAQUFADBGMRMwEQYK CZImiZPyLGQBGRYDbmV0MRYwFAYKCZImiZPyLGQBGRYGbW5uZXh0MRcwFQYDVQQD Ew5tbm5leHQtQUQtMS1DQTAeFw0xMzAyMDExNjAxMDNaFw0xNTAyMDExNjExMDNa <-----Certificate SMhYhbv3wr7XraAnsIaBYCeg+J7fKTFgjA8bTwC+dVTaOSXQuhnZfrOVxlfJ/Ydm NS7WBBBFd9V4FPyRDPER/QMVl+xyoaMGw0QKnslmq/JvID4FPd0/QD62RAsTntXI ATa+CS6MjloKFgRaGnKAAFPsrEeGjb2JgMOpIfbdx4KT3WkspsK3KPwFPoYza4ih 4eT2HwhcUs4wo7X/XQd+CZjttoLsSyCk5tCmOGU6xLaE1s08R6sz9mM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Intermediate Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIQNO7aLfykR4pE94tcRe0vyDANBgkqhkiG9w0BAQUFADBG K73RIKZaDkBOuUlRSIfgfovUFJrdwGtMWo3m4dpN7csQAjK/uixfJDVRG0nXk9pq GXaS5/YCv5B4q4T+j5pa2f+a61ygjN1YQRoZf2CHLe7Zq89Xv90nhPM4foWdNNkr <-----Root Certificate /Esf1E6fnrItsXpIchQOmvQViis12YyUvwko2aidjVm9sML0ANiLJZSoQ9Zs/WGC TLqwbQm6tNyFB8c= -----END CERTIFICATE-----
Step 2: Replace Certificate on Vcenter Server
I added commands for VCenter Server Appliance. But the same operation can be performed for all VCenter Server solutions with same command sets.
vCenter Server 6.x Appliance:
/usr/lib/vmware-vmca/bin/certificate-manager
Windows vCenter Server 6.x:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
If you start operation without making a change on the certificate-manager file, you probably get an error that SAN mismatch problem.
Error: Previous Machine_SSL_CERT Subject alternative name does not match new Machine_SSL_Certificate Subject alternative name
How to fix SAN mismatch Problem?
Open certificate-manager with "vi" command on appliance server and uncommend these two lines. It will disable SAN check for the certificate. This bug fixed for VCenter Appliance 6.5 Update 2.
# if var.strip() in ['1']: # iscomparerequired = compare_certificate_san(oldcert, cert_file)
Then start certificate-manager command from VCenter Server CLI.
1. Replace Machine SSL certificate with Custom Certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
File : /root/certificate/machine_name_ssl.cer
File : /root/certificate/machine_name_ssl.pem
Type "Y" wait for operation finished message.
root@casesup [ /usr/lib/vmware-vmca/share/config ]# /usr/lib/vmware-vmca/bin/certificate-manager _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | *** Welcome to the vSphere 6.5 Certificate Manager *** | | | | -- Select Operation -- | | | | 1. Replace Machine SSL certificate with Custom Certificate | | | | 2. Replace VMCA Root certificate with Custom Signing | | Certificate and replace all Certificates | | | | 3. Replace Machine SSL certificate with VMCA Certificate | | | | 4. Regenerate a new VMCA Root Certificate and | | replace all certificates | | | | 5. Replace Solution user certificates with | | Custom Certificate | | | | 6. Replace Solution user certificates with VMCA certificates | | | | 7. Revert last performed operation by re-publishing old | | certificates | | | | 8. Reset all Certificates | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| Note : Use Ctrl-D to exit. Option[1 to 8]: 1 Please provide valid SSO and VC priviledged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password: 1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate Option [1 or 2]: 2 Please provide valid custom certificate for Machine SSL. File : /root/certificate/machine_name_ssl.cer Please provide valid custom key for Machine SSL. File : /root/certificate/machine_name_ssl.pem Please provide the signing certificate of the Machine SSL certificate File : /root/certificate/machine_name_ssl.cer You are going to replace Machine SSL cert using custom cert Continue operation : Option[Y/N] ? : Y Command Output: /root/certificate/machine_name_ssl.cer: OK Get site nameCompleted [Replacing Machine SSL Cert...] casesup Lookup all services Get service casesup:c356f22f-9d44-4be4-91a9-0e4e305994f1 Update service casesup:c356f22f-9d44-4be4-91a9-0e4e305994f1; spec: /tmp/svcspec_Z11tuk Get service casesup:f6dc9833-0041-4346-a043-2f4622011a81 Update service casesup:f6dc9833-0041-4346-a043-2f4622011a81; spec: /tmp/svcspec_fGNuRH Get service casesup:e59448b5-34a9-4586-876d-33ed4ad4597f Update service casesup:e59448b5-34a9-4586-876d-33ed4ad4597f; spec: /tmp/svcspec_GmpdIy Get service 5cb25d97-ed0f-4215-9817-e3ac70452f5d Update service 5cb25d97-ed0f-4215-9817-e3ac70452f5d; spec: /tmp/svcspec_JeEg_c Get service 2d50a097-a767-47c6-8d2a-70665cca887d Update service 2d50a097-a767-47c6-8d2a-70665cca887d; spec: /tmp/svcspec_KXowhM Get service e6f4b9de-db1e-45dc-bbe0-e8ac142da937 Update service e6f4b9de-db1e-45dc-bbe0-e8ac142da937; spec: /tmp/svcspec_I0j6j3 Get service e97cf640-6ccc-486b-822a-f221c5742286 Update service e97cf640-6ccc-486b-822a-f221c5742286; spec: /tmp/svcspec_zN0DEY Get service dbfd48c8-0ce6-4bb3-ad3d-c9213643c051 Update service dbfd48c8-0ce6-4bb3-ad3d-c9213643c051; spec: /tmp/svcspec_76ziZy Get service 9f92637e-7272-44dd-917a-f188b9f772f9_com.vmware.vcops Don't update service 9f92637e-7272-44dd-917a-f188b9f772f9_com.vmware.vcops Get service 276ab509-f557-4b24-89cf-41191e8b2d40 Update service 276ab509-f557-4b24-89cf-41191e8b2d40; spec: /tmp/svcspec_CJOW1i Get service 5b528658-6cd0-4dd3-baf2-233b65b4efed Update service 5b528658-6cd0-4dd3-baf2-233b65b4efed; spec: /tmp/svcspec_xInvwq Get service 3a8071dc-8b10-49dd-b01d-612f6fe9613d Update service 3a8071dc-8b10-49dd-b01d-612f6fe9613d; spec: /tmp/svcspec_20We5A Get service c23c5f80-5454-4c47-bbfe-3055ca930834 Update service c23c5f80-5454-4c47-bbfe-3055ca930834; spec: /tmp/svcspec_g5oUVY Get service 4c175cc1-0834-44d2-8f82-eb6b9a69f625 Update service 4c175cc1-0834-44d2-8f82-eb6b9a69f625; spec: /tmp/svcspec_0ARLM1 Get service 77be3b9e-630a-4fb7-885f-cd3dbc1f5609 Update service 77be3b9e-630a-4fb7-885f-cd3dbc1f5609; spec: /tmp/svcspec_6xwF6S Get service 7e5ceee2-7ff5-4a0f-9f2b-7fe95e00071e Update service 7e5ceee2-7ff5-4a0f-9f2b-7fe95e00071e; spec: /tmp/svcspec_fAXLnn Get service db96b53e-fdd6-4613-9135-af59f0788819_kv Update service db96b53e-fdd6-4613-9135-af59f0788819_kv; spec: /tmp/svcspec_UEuzhB Get service af7e468a-35e7-461b-99c5-633a033b1de1 Update service af7e468a-35e7-461b-99c5-633a033b1de1; spec: /tmp/svcspec_sEF7BW Get service db96b53e-fdd6-4613-9135-af59f0788819 Update service db96b53e-fdd6-4613-9135-af59f0788819; spec: /tmp/svcspec_H5SgSc Get service 8dcefb01-78fa-43c2-b19e-54fb6692a03b Update service 8dcefb01-78fa-43c2-b19e-54fb6692a03b; spec: /tmp/svcspec_PKpiXD Get service 3f7efe80-ac2d-439b-abd8-a9b183b0ec86 Update service 3f7efe80-ac2d-439b-abd8-a9b183b0ec86; spec: /tmp/svcspec_cVMvJz Get service 74ace25f-f910-420e-b3c8-1a884884872f Update service 74ace25f-f910-420e-b3c8-1a884884872f; spec: /tmp/svcspec_JHhSZO Get service 9f92637e-7272-44dd-917a-f188b9f772f9 Update service 9f92637e-7272-44dd-917a-f188b9f772f9; spec: /tmp/svcspec_Xyd7NF Get service db96b53e-fdd6-4613-9135-af59f0788819_authz Update service db96b53e-fdd6-4613-9135-af59f0788819_authz; spec: /tmp/svcspec_E0d97H Get service 81b4f815-0d81-4a73-8a9b-5a4ae6f8a39e Update service 81b4f815-0d81-4a73-8a9b-5a4ae6f8a39e; spec: /tmp/svcspec_U5nAu3 Get service a703a6a6-bf29-49a1-bdbb-2e67b3be7390 Update service a703a6a6-bf29-49a1-bdbb-2e67b3be7390; spec: /tmp/svcspec_MFAeqF Get service 02dfb9c8-405b-4d48-a7bc-4af60e79acf0 Update service 02dfb9c8-405b-4d48-a7bc-4af60e79acf0; spec: /tmp/svcspec_1zkBkn Get service 9089ecef-85f5-40f7-8907-ffc635831071 Update service 9089ecef-85f5-40f7-8907-ffc635831071; spec: /tmp/svcspec_sMbqEE Get service c82d011d-a60d-4f96-b720-07962e139625 Update service c82d011d-a60d-4f96-b720-07962e139625; spec: /tmp/svcspec_EpdGIM Get service 6beffc52-654b-4b2a-967b-a46052f973e3 Update service 6beffc52-654b-4b2a-967b-a46052f973e3; spec: /tmp/svcspec_8WMDTb Updated 29 service(s) Status : 100% Completed [All tasks completed successfully]
Step 3: Replace Certificate on ESXi Server
a) Login ESXi host shell
b)Check certificate under "/etc/vmware/ssl"
c)Backup current certificate which starts with rui*
#cd /etc/vmware/ssl #cp rui.crt rui.key_backup #cp rui.key rui.crt_backup #ls -lrt total 32 -rw-r--r-T 1 root root 0 Mar 21 21:10 vsanvp_castore.pem -rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client_old.key -rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client_old.crt -rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client.key -rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_client.crt -rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_castore_old.pem -rw-r--r-T 1 root root 0 Mar 21 21:10 vsan_kms_castore.pem -r--r--r-- 1 root root 229 Apr 18 01:38 openssl.cnf -r-------- 1 root root 3211 Jun 28 23:53 rui.bak -rw-r--r-- 1 root root 2551 Jun 28 23:53 castore.pem -rw-r--r-- 1 root root 3169 Jun 28 23:53 iofiltervp.pem -r-------- 1 root root 1708 Jul 9 06:15 rui.key_backup -rw-r--r-- 1 root root 1460 Jul 9 06:16 rui.crt_backup -rw-r--r-- 1 root root 3891 Jul 9 06:17 rui.crt -r-------- 1 root root 3272 Jul 9 06:17 rui.key [root@casesup:/etc/vmware/ssl]
d)Change RUI.crt And RUI.KEY
You should open file with "vi" then remove all certificates. After then import new ones.
e)Restart Management Process
After you finished to add the certificate to the file named "rui.crt" and "rui.key" then you should restart management agents. Also, host restart is another option. But if you don't want to restart host then you should connect ESXi console then press "F2", enter root password restart management agent under Troubleshooting. Please read the warning when you will restart management agent. All remote connections to this host will be closed when you start the operation.
