Upload custom SSL certificate to ESXi

Upload custom SSL certificate to ESXi

This document describes the Powershell script to upload a custom SSL certificate file and private key to ESXi using the HTTPS PUT command.

When the ESXi host is installed you can use HTTPS PUT to upload the SSL certificate and private key to the ESXi host using the following to URLs :

The script provide below uploads the custom SSL certificate and private key using Powershell to the URL above.

The script has a couple of variables to take into account :

[Arguments]

-strESXi <hostname>

This argument needs to be provided. It has to be the hostname of the ESXi host you want the SSL certificate and private key to be replaced.

[In scripts variables]

The following variables can be changed by opening the script and changing the values under Input Parameters.

$strUser = "root"

This is the account that is used to upload the SSL certificate and private key to the ESXi host. If you replace root you need to provide an account on the ESXi host that has at least the privilege Host.Config.AdvancedConfig to upload the SSL certificate and private key.

$strSSLdir = "c:\temp\certificates"

This variable tells the script where the SSL certificates and private keys of the ESXi hosts are stored. The SSL certificate and private key for an ESXi host need to be named <hostname>.crt (SSL certificate) and <hostname>.key (private key)

[First time usage]

The first time you execute the script, it will ask for the password for the "root" account (or the account that you provide for $strUser). The password will be stored, as a secure string,  in the <username>-credentials file. This file is located in the directory where the script is located. This wil prevent the script from asking the password each time you execute the script. If the password changes, delete the file and the script will ask for the new password.

[Usage example]

UploadCert2ESXi.ps1 -strESXi esx01

[Additional info]

If you get the following error during execution :


Exception calling "UploadFile" with "3" argument(s): "The operation has timed out"
At :line:206 char:25
+       $objWebClient.UploadFile <<<< (($strESXiURL + "/host/ssl_key"),"PUT",$strHostCertFile)

please edit this in the PS script : webRequest.Timeout = 10000;

increase the value of 10000 until your files are uploaded to the ESXi host.

Author : Martijn Baecke (dotNL)

Website : http://thinkcloud.nl

Email : baecke at gmail dot com

Attachments
1_UploadCert2ESXi.ps1.zip
UploadCert2ESXi.ps1.zip
0 Kudos
Comments
lenders
‎02-11-2011 07:17 AM
‎02-11-2011 07:17 AM

Check lines 206 and 208, you are putting the key file in the cert store and the crt file in the key store. Right now this script hangs esxi once you restart the services.

Correct lines are:

# Upload SSL certificate
$objWebClient.UploadFile(($strESXiURL + "/host/ssl_cert"),"PUT",$strHostCertFile)
# Upload SSL key
$objWebClient.UploadFile(($strESXiURL + "/host/ssl_key"),"PUT", $strHostKeyFile)

Really useful script anyway!

mbaecke
‎02-11-2011 07:28 AM
‎02-11-2011 07:28 AM

You are correct indeed. Corrected the mistake. Thanks!

DeathbyOtter
‎03-18-2011 09:08 AM
‎03-18-2011 09:08 AM

running esxi 4.1.0 and am getting a forbidden error.

Exception calling "UploadFile" with "3" argument(s): "The remote server returne
d an error: (403) Forbidden."
At C:\scripts\esxi_replace_certs.ps1:206 char:25
+ $objWebClient.UploadFile <<<< (($strESXiURL + "/host/ssl_cert"),"PUT",$strHos
tCertFile)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
Exception calling "UploadFile" with "3" argument(s): "The remote server returne
d an error: (403) Forbidden."
At C:\scripts\esxi_replace_certs.ps1:208 char:25
+ $objWebClient.UploadFile <<<< (($strESXiURL + "/host/ssl_key"),"PUT", $strHos
tKeyFile)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
mbaecke
‎03-21-2011 03:49 AM
‎03-21-2011 03:49 AM

This is most likely an indicator that your credentials are incorrect. That's the reason for getting a 403 HTTP error.

This scipt has been tested against ESXi 4.1, with positive results.

dinny
‎11-18-2011 11:24 AM
‎11-18-2011 11:24 AM

Excellent script.

Note: to run it from a w2008R2 server you need to open the powercli cmd window to "run as administrator" - even if you are logged in with an admin account.

DyJohnnY
‎02-21-2013 08:23 AM
‎02-21-2013 08:23 AM

Hi,

I just discovered an issue with this script. I used it a few months ago to generate some CA signed certificates for standalone ESXi hosts. All is fine, but there is a problem when you try to join this host to vCenter. The certificate is not uploaded in text/ASCII mode.

Because of this CRLF characters are transformed in ^M in the file on ESXi.

Is there any way to improve the script so that it will transfer the file correctly?

Either do a conversion before the transfer or does the upload method allow specifying in which way the transfer can take place?

Thank you,

ionut

Version history
Revision #:
1 of 1
Last update:
‎01-30-2011 05:02 AM
Updated by:
VMware Employee
 
View Article History