Does ESXi 5 support SSL certificate chains?

sofakng · ‎09-14-2011

I have an SSL certificate from a public certificate authority but it uses an intermediate/chain certificate. (ie. GlobalSign Root CA is the root CA and is "pre-trusted" by all browsers, but the AlphaSSL Intermediate Authority is an intermediate certificate that needs to be installed)

It looks like rui.crt (the ESXi host SSL certificate) does NOT support multiple certificates inside the file. (ie. including the intermediate/chain certificate, like Apache Mod-SSL, etc)

So... does ESXi support intermediate/chain certificates? If not, how do I get around this when using my public SSL certificate?

sofakng · ‎09-29-2011

Anybody?

Craig_Baltzer · ‎09-29-2011

Correct, the 'rui.key/rui.crt' is a single cert and there doesn't appear to be any way to do Apache/IIS style certificate chains. So that means you need to get the intermediate cert installed on any device that will be talking to the vSphere server with your public cert. Not a huge deal if you're just dealing with a few workstations (for example on a Windows workstation you'd just add it to the Intermediate Certification Authorities), or if you have Active Directory you can add it via GPO (which is how we deal with certs issued by our internal CA (which also requires the use of an intermediate cert).

MKguy · ‎09-23-2013

I suppose this was actually possible in previous versions already, but I have chained certificates work just fine on my ESXi 5.1 U1 hosts.

In my case the chained certificate was downloaded in p7b format from the CA server and converted to pkcs7 in openssl:

openssl pkcs7 -in cert.p7b -print_certs -out rui.crt

-- http://alpacapowered.wordpress.com

All

Does ESXi 5 support SSL certificate chains?