How to replace default SSL certificate for Vmware VCenter and ESXi hosts

VmwareYou can replace default self signed ESXi  and VCenter  SSL certificate from CLI. First  of all you should get  a SSL certificate file and  also a key file. You need to  upload them under a directory  from VCenter server.

Step 1: Check  your certificate file

The certificate file  must contain intermediate and  also  root CA certificate. I added simple example  of certificate  file below.

 

 

Step 2: Replace Certificate on  Vcenter Server

I added commands  for VCenter Server Appliance . But same operation can be  performed  for all VCenter Server solutions with same  command sets.

vCenter Server 6.x Appliance:

/usr/lib/vmware-vmca/bin/certificate-manager

Windows vCenter Server 6.x:

C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager

If you start operation without make a  change on certificate-manager file, you probably  get an error that  SAN mismatch  problem.

Error:Previous Machine_SSL_CERT Subject alternative name does not match new Machine_SSL_Certificate Subject alternative name

How to fix SAN mismatch  Problem?

Open certificate-manager with “vi”  command on appliance server  and  uncommend these  two lines. It will disable SAN  check for the certificate. This  bug  fixed  for VCenter  Appliance  6.5  Update 2.

#        if var.strip() in [‘1’]:

#            iscomparerequired = compare_certificate_san(oldcert, cert_file)

Then start certificate-manager command from  VCenter Server CLI.

1. Replace Machine SSL certificate with Custom Certificate

2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

File : /root/certificate/machine_name_ssl.cer

File : /root/certificate/machine_name_ssl.pem

Type  “Y” wait  for operation finished message.

 

 

Step 3: Replace Certificate on  ESXi  Server

a) Login  ESXi host shell

b)Check certificate  under  “/etc/vmware/ssl”

c)Backup current certificate which starts  with  rui*

d)Change  RUI.crt  And RUI.KEY

You shoul open file  with  “vi” then  remove all certificate. After  then import new  ones.

e)Restart Management  Process

After you finished  to add  certificate to the file which  named “rui.crt” and “rui.key”  then you should  restart  management  agents. Also  host restart  is  another  option. But  if you don’t want to restart host then you should  connect  ESXi console  then press “F2” , enter root password  restart  management agent  under  Troubleshooting. Please read  warning  when you  will restart management  agent. All remote connections  to this  host  will be  closed when you start to the  operation.

 

Userful  Links:

ESXi  Host VMware Page

VCenter Server VMware Page

Follow me

Abdurrahim

I'm a System Engineer with extensive experience and administration skills and works for Interbank Card Center Of Turkey.I provide hardware and software support for the following Unix/Linux and Windows platforms.(Oracle Solaris,HP-UX, Linux, IBM-AIX, Windows Servers)
Follow me

Latest posts by Abdurrahim (see all)

facebooktwittergoogle_pluslinkedinby feather

0