VMware Cloud Community
blackhauk
Enthusiast
Enthusiast
‎06-04-2019 12:25 PM
Jump to solution

Replacing ESXi HOST Certificates on 6.7

I already made my vcsa a Sub-Signer of my Windows CA, and replaced all the certs on all the services...

When I try to refresh the CA certs on a host - I get an error that wants to reload the page, and it never happens...

Now, that said, this Host is joined to AD.  It is also severely locked down, via DoD STIG requirements. 

Is there a catch to doing this?  Is it just that simple?  I wonder if I should delete the default Root CA Certificate from the VMCA so it wouldn't attempt to use this - because if I just select 'Renew Certificate' - it completes fine, but when I hit the web interface of the Host - it's still the self-signed CA cert.  So...anyone got a hack for me or something - all the articles I find I've already done, but this particular piece isn't covered very well in what I can find.  Frankly, the pubs area is even a bit confusing when it comes to this.

Any help - greatly appreciated...

mark

0 Kudos
1 Solution

Accepted Solutions
blackhauk
Enthusiast
Enthusiast
‎06-04-2019 01:15 PM
Jump to solution

Maybe this is something I need to do?

Refresh the Security Token Service Certificate

Which leads me to also doing this?

Generate a New STS Signing Certificate on the Appliance

I could use some guidance on this...  thanks!

mark

View solution in original post

0 Kudos
3 Replies
blackhauk
Enthusiast
Enthusiast
‎06-04-2019 01:15 PM
Jump to solution

Maybe this is something I need to do?

Refresh the Security Token Service Certificate

Which leads me to also doing this?

Generate a New STS Signing Certificate on the Appliance

I could use some guidance on this...  thanks!

mark

0 Kudos
blackhauk
Enthusiast
Enthusiast
‎06-04-2019 02:35 PM
Jump to solution

k, so yes the STS is where you address HOST certificates.

You go through the articles again if you want, I just used my signing cert that already used.  And used the openssl command to convert it into a p12.  Copied it over to Windows, renamed it to pfx.  And imported into the STS Certficates store through the web gui.

After that, rebooted vcenter....

Logged in, and checked everything, looked good.  Then - and this is where you get crazy - (After you ensure you have a good backup of your vCenter appliance somewhere) - delete the Chain 1 from the STS Certificate store via the WEB GUI - this is important - don't do it on the appliance/shell.  Delete the chain 1 (which should be the default self-signed CA crap).  Once you do that - you're golden....

Go to each host - Refresh CA certificates on host, Renew the Certificate - and BAM!  Now it's signed by your Windows CA - and you're good to go...

Hope this helps someone down the road...

0 Kudos
abugeja
Hot Shot
Hot Shot
‎07-20-2021 10:09 PM
Jump to solution

Sorry to high jack this thread but im at a stage where i need to apply 3rd party certificates to all my ESXi hosts instead of using a self signed one. 

vCenter has a 3rd party certificate applied to it but the ESXi hosts seem to be different as to how you push the certificates to them . Does anyone happen to have any recommended websites i could use to see what the entire process is?

0 Kudos