Hi,
I installed ESXi 3.5 and during the installation it generated an SSL certificate associated with the hostname that the box obtained from DHCP. I've changed the hostname to something definitive and now I need to regenerate the certificate, how can I do this?
Any help will be appreciated. Thanks.
BTW, I have the VMware CLI appliance running on the host, is there a command to do this?
You generate a certificate to use (x509 format) and then copy it to the host with the RCLI - then restart the host (or you could just try to restart the management services first).
vifs.pl --server= --put c:\ssl_cert /host/ssl_cert
Well, I was fooling around, and tried a different method. Pretty sure I broke it.
Now when I try your method, I get:
C:\Program Files\VMware\VMware VI Remote CLI\bin>vifs.pl --server=x.x.x.x --put certificate.crt /host/ssl_cert
Enter username: root
Enter password:
Error connecting to server at 'https://x.x.x.x/sdk/webService': Perhaps host is not a Virtual Center or ESX server
Actually, I can't login remotely as a result of my fooling around. Any suggestions?
Jase McCarty
Co-Author of VMware ESX Essentials in the Virtual Data Center
(ISBN:1420070274) from Auerbach
If you access the console (ALT+F1) you can regenerate the certificate.
Edit the hosts file to suit
vi /etc/hosts
and add the ip and server nameto the hosts file
127.0.0.1 localhost.localdomain localhost
192.168.1.10 vm1.domainame.com
Run the create_certificate utility to generate a new ssl certificate.
#create_certificates
The server will need to be restarted before it takes effect.
If someone could confirm this it would be helpful.
That solution does not work for ESXi, since it doesn't have an actual console (only a menu where the network settings and root password can be configured).
Have a look at http://www.vm-help.com/esx/esx3i/ESXi_enable_SSH.php You will find that you can get a console..You can even do this through an SSH connection. I am reasonably sure the above procedure does work.
The create_certificates will recreate the self-signed cert for the host. You can also copy a replacement cert / private key if you want to use a certificate generated by a CA - http://www.vm-help.com/esx/esx3i/change_name_and_cert.php.
I've found a way to use ESXi's openssl to get certificate from win2003 CA.
1) Get into ESXi's ssh.
2) cp /sbin/create_certificates /tmp
3) cd /tmp ; vi create_certificates # to extract the part that creates cert.cnf, then create cert.cnf
4) openssl req -newkey rsa:1024 -keyout rui.key -out rui.csr -config cert.cnf
5) Copy rui.csr to local disk via clipboard.
On CA host:
6) certreq -submit -attrib "CertificateTemplate:WebServer" rui.csr
7) If your CA issues certs automatically, save the certificate to rui.crt
- else -
certreq -retrieve rui.crt
(I use certreq 'cause my CA Web Services doesn't offer WebServer template.)
😎 Copy rui.key and rui.crt to /etc/vmware/ssl
9) Reboot ESXi.
There is no "create-certificates" command:
~ # uname -a
VMkernel vm1 3.5.0 #1 SMP Release build-123629 Oct 15 2008 21:03:57 i686 unknown
~ # create-certificates
bash: create-certificates: not found
Is it necessary to do this with openssl? Or has something changed in the newest release?
Use the full path and "create_certificates" (underline)
I am trying to upgrade the SSL certificate on ESXi 3.5.0 build 163429. The steps you have mentioned will be very useful. Can you please tell me how to create a new 128 bit SSL encryption certificate.
Thanks In Advance
Hi,
i am doing the regenerating the certificate using vmware shell.
you have given the steps for doing this.
i just want to get the cerficate with beyond than generate-cerfiicates.sh command(this command directly generates the certificate
what i want is to make my own certificates with mentioned some options atleast changing the key length.
i tried modifying the generate-certificates.sh
cp generate-certificates.sh /tmp
cd tmp
vi generate-certificates.sh
and tried to modify the bit length as 1024. But while in exit it is not allowing me to do changes in that file.
i just want to generate rui.crt file (with rui.key and rui.csr file) and make my own certificate. so that i can show to professor that i have done some changes to the file.
In your steps here,
1) Get into ESXi's ssh.
2) cp /sbin/create_certificates /tmp
3) cd /tmp ; vi create_certificates # to extract the part that creates cert.cnf, then create cert.cnf
4) openssl req -newkey rsa:1024 -keyout rui.key -out rui.csr -config cert.cnf
5) Copy rui.csr to local disk via clipboard.
On CA host:
6) certreq -submit -attrib "CertificateTemplate:WebServer" rui.csr
7) If your CA issues certs automatically, save the certificate to rui.crt
- else -
certreq -retrieve rui.crt
(I use certreq 'cause my CA Web Services doesn't offer WebServer template.)
😎 Copy rui.key and rui.crt to /etc/vmware/ssl
9) Reboot ESXi.
i am unable to get the 3,5,7 steps as i have no knowlege on cert.cnf and operations on esxi and terminology on esxi.
with this my project will be over..
Please guide me for this task..
thank you..
As i do not know much more about vmware esxi i also followed the steps of the below document.
i am using esxi 4.1
http://blogs.freebsdish.org/tmclaugh/2009/02/17/some-vmware-esxi-post-install-notes/
But here it need openssl.cnf as it is not there in esxi shell
i just want the part from the esxi shell where you mentioned the cert.cnf where it is equivalent to openssl.cnf (because we also need x509 certificate i am not sure from where to where to copy and how to copy in esxi)
SO that i can follow remaining steps of the document.
i installled esxi on vmware workstation.
when i run vmfs.pl commands those are also not working.
vsphere client also not giving the right direction to me(may be because i am not in touch with)
Please help me..
Thank you..