I seem to be going round in circles trying to upload a SSL certificate to ESXi 6.7.0. We are not managing this through and vCenter server, its a standalone VM which will be host to a Cisco 9800 CL device.
So far we have a SSL certificate in use by ESXi which has been generated by ESXi.
Not valid after
Tuesday, May 27, 2031, 18:16:46 +0100
Not valid before
Tuesday, November 26, 2019, 17:16:46 +0000
unstructuredName=1574788605\,564d7761726520496e632e,CN=smyserver.mycompany.local,emailAddressfirstname.lastname@example.org,OU=VMware ESX Server Default Certificate,O=VMware\, Inc,L=Palo Alto,ST=California,C=US
Whenever I browse to the webGUI of this device I am getting a security alert which is to be expected as I have not installed the above certificate but my aim is to use our local STAR.mycompany.local certificate on the ESXi device as this is what we use on all of our servers around the company. The certificate is then pushed out across our domain so no id
So, I have tried to replace the SSL cert with our company certificate but it just gives errors and reverts back to the original one. I have tried to follow several guides also and 9 times out of 10 I am losing all access to the device and I have to reinstall. I am using a PEM file but maybe it has to be converted somehow?
Can anyone give me any tips on how I can get this to work?
replacing the SSL/ TLS certificates can be complex, especially if you have not fully understand how PKI works (I think I understand PKI, but replacing certificates can be challenging). I'm using this KB article (VMware Knowledge Base KB2097936) when I have to replace or modify VCSA certificates.
I tend to deploy the VMCA as a Sub-CA of my Root- or Issuing CA. In this case, the VMCA can issuing certificates for my ESXi hosts and I only have to deploy the Sub-CA certificate from the VMCA.
What certificate do you have? A single wildcard certificate?
Thanks for your reply. I have had a look at the knowledge base article that you referenced and tried to work through it but I fail at the first hurdle!
-sh: /usr/lib/vmware-vmca/bin/certificate-manager: not found
I think I have every certificate type going and I have tried all of them, all of them say they have failed.
I have wildcard.local.cert.pem, intermediate.cert.pem, chain.cert.pem, key.pem, and ca.cert.pem. I don't really understand the difference between them all or what the ESXi is specifically looking for.
If I inspect the existing certificate generated by the ESxi it looks the same as my wildcard.local.cert.pem and around the same length but it just won't accept it.
Do you try to enter the command at the Bash prompt of the vCenter Server Appliance??
I'm not using vCenter its just standalone ESXi via the navigator or direct SSH as we only have a VMware vSphere 6 Hypervisor license.
Can it be done without obtaining a license for vCenter?
Ah okay, when using ESXi, you have to use a different way. Check this VMware KB article: VMware Knowledge Base
Hmm, I seem to be making slow progress but its some progress!
I read through and found this article Replace the Default Certificate and Key from the ESXi Shell which I followed as it seemed more appropriate to our setup. The guide you supplied I think assumed that the host was on Windows.
So, I renamed the key and crt like it suggested and replaced them with our own and rebooted.
It's now pinging back, I can access via SSH and I do not get any security warnings when attempting to connect to the navigator...but it says the site cannot be reached.
Any ideas apart from rolling back to the original files?
BTW, thanks for all your help so far!
Do you have a backup of the original certificate files?
Yeah I have them, worst case scenario I can just restore them. So frustrating though, I feel so close yet so far from finding the solution!
EDIT: I take that back, I've just gone to restore and they aren't there! Not having much luck!
Try this: Generate New Self-Signed Certificates for ESXi
Thank you! Saved me from having to reinstall but I'm back to square one again now
Standalone server ESXi 6.7:
Manage > System > Advanced settings. Set Misc.PreferredHostName (shortname).
Networking > TCP/IP stacks > Default TCP/IP stack. Set Host name and Domain name. Maintenance mode and reboot the host to take changes.
Manage > Security & users > Certificates. Click Import new certificate.
Most likely you want Generate FQDN signing request. Copy the CSR into a text file (DO NOT REBOOT HOST OR THE PENDING CSR PRIVATE KEY IS WIPED AND YOU WILL HAVE TO GENERATE A NEW REQUEST).
Send the text file to your CA admin, point them to these articles for CSR requirements and CA template requirements.
Requirements for ESXi Certificate Signing Requests
Export the signing CA Root and any Intermediary if your environment has any, PEM format so it is text readable. The certificate file you get back from the request, open in notepad. Same for the CA root and intermediaries. Make sure each BEGIN CERTIFICATE and END CERTIFICATE are on their own line. For example:
<Certificate of Host>
<Certificate of intermediary CA>
<Certificate of Root CA>
Go back to Manage > Security & users > Certificates. Open Import new certificate, copy the entire certificate text file with the intermediaty/Root CA certificates, and paste into the region provided. Click Import button at the bottom.
As per the mentioned KB (KB2113926), ESXi does not support wildcard certificates. The certificate has to be unique to the host it applies to.