Configuring CA signed certificates for ESXi 5.x hosts

Creating CA assigned certificates for an ESXi 5.x host is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. Each server must be unique to the component as it ties to the fully qualified domain name of the server. As such you cannot just take a single certificate and apply it to all hosts. Wildcard certificates are currently not supported, but even if they were, it is much more secure to have a proper certificate for each host. There are several different work flows required for a successful implementation:

  • Validating FQDN (Full DNS Name)
  • Install Open-SSL and Visual C++ 2008 Redistributable Package
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate on the ESXi host

These steps must be followed to ensure successful implementation of a custom certificate for an ESXi 5.x host. Before attempting these steps ensure that:

  • You have a Open-SSL installed
  • You have a Microsoft Visual C++ 2008 Redistributable Package installed
  • You have a vSphere 5.0 or vSphere 5.1 environment
  • You have followed the steps in the below configuring SSL articles for vSphere 5.0 or vSphere 5.1
  • You have an SSH client (such as Putty) installed
  • You have a SFTP/SCP client (such as WinSCP) installed

Validating FQDN (Full DNS Name)

In order to check out the certificates before or after the certificate installation, use a browser and navigate to the URL of vCenter Server or ESX(i) host server. Use the following URL

http://FQDN

because certificate name must match the server fully qualified domain name

V1

Click on Continue to this website (not recommended)

On the next screen

V2

Click on the Certificate Error button, then click on View certificates

Take a look at the certificate

V3

It cannot be verified because it was issued by VMware Installer, which is not the trusted certification authority.
Click OK

1.2. If certificate issuer is well-known

If certificate issuer is well-known, you will see the VMware welcome screen without any warning
Done

This certificate is issued by the well-known CA and has been successfully verified

Creating the certificate request

To generate a certificate request for an ESXi 5.x host:Launch a command prompt and navigate into the OpenSSL directory as previously configured in the Configuring OpenSSL article. By default this is C:\OpenSSL-Win32\bin.
Execute the command:

openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg

Example:

C:\OpenSSL-Win32\bin>openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
............++++++
......++++++
writing new private key to 'rui.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IL
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myIT
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:testesx01.qa.lab
Email Address []:test@myit.co.il

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

C:\OpenSSL-Win32\bin>

This will create the certificate request rui.csr.

When rui.csr is created, proceed to Getting the certificate.

Getting the certificate

After the certificate request is created, the certificate must be given to the certificate authority for generation of the actual certificate. The authority will present a certificate back, as well as a copy of their root certificate, if necessary. For the certificate chain to be trusted, the root certificate must be installed on the server.
Follow the appropriate section below for the steps for the certificate authority in question.
For Microsoft CAs:
  1. Log in to the Microsoft CA certificate authority web interface. By default, it is http://<servername>/CertSrv/

  2. Click Request a certificate.
  3. Click advanced certificate request.
  4. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
    CAWindows3
  5. Open the certificate request in a plain text editor.
  6. Copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box.
    R2
  7. Click Web Server when selecting the Certificate Template.
  8. Click Submit to submit the request.
  9. Click Base 64 encoded on the Certificate issued screen.
  10. Click Download Certificate.
  11. Save the certificate on the desktop of the server as rui.crt.
For OpenSSL Self-Signed Certificates:
  1. Create the certificate by running the command:openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config openssl.cfg -out rui.crt -days 3650This command outputs the certificate as needed to proceed to the installation and configuration section of this article.

Installing and configuring the certificate on the ESXi host

After the certificate is created, complete the installation and configuration of the certificate on the ESXi 5.x host:
  1. Log in to vCenter Server
  2. Put the host into Maintenance Mode.
  3. Navigate to the console of the server to enable SSH on the ESXi 5.x host.
  4. Press F2 to log in to the Direct Console User Interface (DUCI).
  5. Click Troubleshooting options > Enable SSH.
  6. Log in to the host and then navigate to /etc/vmware/ssl.
  7. Copy the files to a backup location, such as a VMFS volume.
  8. Log in to the host with WinSCP and navigate to the /etc/vmware/ssl directory.
  9. Delete the existing rui.crt and rui.key from the directory.
    WinSCP1
  10. Switch back to the DCUI of the host and select Troubleshooting Options > Restart Management Agents.
  11. When prompted press F11 to restart the agents. Wait until they are restarted.
  12. Press ESC several times until you logout of the DCUI.
  13. Exit the host from Maintenance Mode.

Leave a comment

Your email address will not be published. Required fields are marked *


*