HayleyGRIT
Contributor
Contributor

Installing our own SSL certificate

Hi all,

I seem to be going round in circles trying to upload a SSL certificate to ESXi 6.7.0. We are not managing this through and vCenter server, its a standalone VM which will be host to a Cisco 9800 CL device.

So far we have a SSL certificate in use by ESXi which has been generated by ESXi.

Issuer

O=VMware Installer

Not valid after

Tuesday, May 27, 2031, 18:16:46 +0100

Not valid before

Tuesday, November 26, 2019, 17:16:46 +0000

Subject

unstructuredName=1574788605\,564d7761726520496e632e,CN=smyserver.mycompany.local,emailAddress=ssl-certificates@vmware.com,OU=VMware ESX Server Default Certificate,O=VMware\, Inc,L=Palo Alto,ST=California,C=US

Whenever I browse to the webGUI of this device I am getting a security alert which is to be expected as I have not installed the above certificate but my aim is to use our local STAR.mycompany.local certificate on the ESXi device as this is what we use on all of our servers around the company. The certificate is then pushed out across our domain so no id

So, I have tried to replace the SSL cert with our company certificate but it just gives errors and reverts back to the original one. I have tried to follow several guides also and 9 times out of 10 I am losing all access to the device and I have to reinstall. I am using a PEM file but maybe it has to be converted somehow?

Can anyone give me any tips on how I can get this to work?

Tags (1)
12 Replies
blazilla
Enthusiast
Enthusiast

Hi,

replacing the SSL/ TLS certificates can be complex, especially if you have not fully understand how PKI works (I think I understand PKI, but replacing certificates can be challenging). I'm using this KB article (VMware Knowledge Base KB2097936) when I have to replace or modify VCSA certificates.

I tend to deploy the VMCA as a Sub-CA of my Root- or Issuing CA. In this case, the VMCA can issuing certificates for my ESXi hosts and I only have to deploy the Sub-CA certificate from the VMCA.

What certificate do you have? A single wildcard certificate?

Best regards Patrick https://www.vcloudnine.de
0 Kudos
HayleyGRIT
Contributor
Contributor

Hi Blazilla,

Thanks for your reply. I have had a look at the knowledge base article that you referenced and tried to work through it but I fail at the first hurdle!

[root@myserver:~] /usr/lib/vmware-vmca/bin/certificate-manager

-sh: /usr/lib/vmware-vmca/bin/certificate-manager: not found

I think I have every certificate type going and I have tried all of them, all of them say they have failed.

I have wildcard.local.cert.pem, intermediate.cert.pem, chain.cert.pem, key.pem, and ca.cert.pem. I don't really understand the difference between them all or what the ESXi is specifically looking for.

If I inspect the existing certificate generated by the ESxi it looks the same as my wildcard.local.cert.pem and around the same length but it just won't accept it.

0 Kudos
blazilla
Enthusiast
Enthusiast

Do you try to enter the command at the Bash prompt of the vCenter Server Appliance??

Best regards Patrick https://www.vcloudnine.de
0 Kudos
HayleyGRIT
Contributor
Contributor

Hi,

I'm not using vCenter its just standalone ESXi via the navigator or direct SSH as we only have a VMware vSphere 6 Hypervisor license.

Can it be done without obtaining a license for vCenter?

0 Kudos
blazilla
Enthusiast
Enthusiast

Ah okay, when using ESXi, you have to use a different way. Check this VMware KB article: VMware Knowledge Base

Best regards Patrick https://www.vcloudnine.de
0 Kudos
HayleyGRIT
Contributor
Contributor

Hmm, I seem to be making slow progress but its some progress!

I read through and found this article Replace the Default Certificate and Key from the ESXi Shell which I followed as it seemed more appropriate to our setup. The guide you supplied I think assumed that the host was on Windows.

So, I renamed the key and crt like it suggested and replaced them with our own and rebooted.

It's now pinging back, I can access via SSH and I do not get any security warnings when attempting to connect to the navigator...but it says the site cannot be reached.

Any ideas apart from rolling back to the original files?

BTW, thanks for all your help so far!

0 Kudos
blazilla
Enthusiast
Enthusiast

Do you have a backup of the original certificate files?

Best regards Patrick https://www.vcloudnine.de
0 Kudos
HayleyGRIT
Contributor
Contributor

Yeah I have them, worst case scenario I can just restore them. So frustrating though, I feel so close yet so far from finding the solution!

EDIT: I take that back, I've just gone to restore and they aren't there! Not having much luck!

0 Kudos
blazilla
Enthusiast
Enthusiast

Try this: Generate New Self-Signed Certificates for ESXi

Best regards Patrick https://www.vcloudnine.de
HayleyGRIT
Contributor
Contributor

Thank you! Saved me from having to reinstall but I'm back to square one again now Smiley Sad

andrewpilachows
Enthusiast
Enthusiast

Standalone server ESXi 6.7:

Manage > System > Advanced settings. Set Misc.PreferredHostName (shortname).

pastedImage_3.png

Networking > TCP/IP stacks > Default TCP/IP stack. Set Host name and Domain name. Maintenance mode and reboot the host to take changes.

pastedImage_4.png

Manage > Security & users > Certificates. Click Import new certificate.

pastedImage_0.png

Most likely you want Generate FQDN signing request. Copy the CSR into a text file (DO NOT REBOOT HOST OR THE PENDING CSR PRIVATE KEY IS WIPED AND YOU WILL HAVE TO GENERATE A NEW REQUEST).

pastedImage_1.png

Send the text file to your CA admin, point them to these articles for CSR requirements and CA template requirements.

Requirements for ESXi Certificate Signing Requests

VMware Knowledge Base

Export the signing CA Root and any Intermediary if your environment has any, PEM format so it is text readable.  The certificate file you get back from the request, open in notepad. Same for the CA root and intermediaries. Make sure each BEGIN CERTIFICATE and END CERTIFICATE are on their own line. For example:

-----BEGIN CERTIFICATE-----

<Certificate of Host>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<Certificate of intermediary CA>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<Certificate of Root CA>

-----END CERTIFICATE-----

Go back to Manage > Security & users > Certificates. Open Import new certificate, copy the entire certificate text file with the intermediaty/Root CA certificates, and paste into the region provided. Click Import button at the bottom.

0 Kudos
AhmedIbrahimVMw
Enthusiast
Enthusiast

As per the mentioned KB (KB2113926), ESXi does not support wildcard certificates. The certificate has to be unique to the host it applies to.