Update Certificates in ESXi 5.1

This article primarily describes how to replace the ESXi 5 host certificates with CA signed certificates (either self-signed or third party). NOTE that the instructions do differ for other versions of ESXi!

Make sure you have SSH enabled on your ESXi host and know how to log in (can be done via the menu on the physical server).

Probably use a different directory than temp. like /vmfs/volumes.... I have used tmp here for simplicity. It seems that the tmp directory is cleared on reboot. Also note that the /etc/vmware/ folder is reset on reboot so don't store your ssl backup folder there.

ssh esxi5.example.com
mkdir /tmp/ssl
cat > openssl.cfg << EOF

#This has been copied from the VMWare site "Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment"

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vc50, IP:10.0.0.10, DNS:vc50.vmware.com # UPDATE WITH YOUR OWN DATA HERE

[ req_distinguished_name ]
# UPDATE WITH YOUR OWN DATA HERE
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMWare
organizationalUnitName = vCenterInventoryService
commonName = vc50.vmware.com
EOF

cd /tmp/ssl
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
openssl rsa -in rui-orig.key -out rui.key # this is required according to VMWare although the file contents do not really change...

#Now get the file "rui.csr" signed by the/your certificate authority. Copy the returned certificate back into the /tmp/ssl folder as "rui.crt".

mv /etc/vmware/ssl /etc/vmware/ssl-backup
cp -R /tmp/ssl /etc/vmware/
/etc/init.d/hostd restart
/etc/init.d/vpxa restart

#Verify that the certificates have not been overwritten:

diff /etc/vmware/ssl/rui.key /tmp/ssl/rui.key
diff /etc/vmware/ssl/rui.crt /tmp/ssl/rui.crt
reboot

#Check that the certificates are accepted and working (you will get an error message on messed up certificates

vim-cmd vmsvc/getallvms

#Verify AGAIN that the certificates have not been overwritten:

diff /etc/vmware/ssl/rui.key /tmp/ssl/rui.key
diff /etc/vmware/ssl/rui.crt /tmp/ssl/rui.crt

If you are unlucky and are having issues with the certificates (server will not start anymore), run /sbin/generate-certificate. This will re-create the built in certificates.

Sources for the creation of this article (if you have different issues or aims, check them out to guide you the way):
- Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment
- Configuring CA signed certificates for ESXi 5.x hosts