Welcome to a post which will let you easily update your VMware ESXi host SSL certificates. Last year when I was writing my 15-part vSphere 5.1 installation and configuration series I didn’t include instructions on how to replace the ESXi SSL certificate. That process hasn’t changed for ages, so I put it on the back burner. Now the time has come to show you part 15 of the vSphere 5.1 install series, which is a semi-automated method to replace your ESXi SSL certificates.
vSphere 5.1 has relaxed the ESXi host certificate requirements a bit by not requiring the dataencipherment and nonrepudiation key properties, which previous versions required. However, I’ve included them in my script in case you have any 5.0 or 4.x hosts. It won’t hurt to have these properties enabled on a ESXi 5.1 certificate though.
Basic requirements for the script are:
- ESXi 4.x or 5.x host(s)
- OpenSSL installed (0.9.8 or higher, 32-bit or 64-bit)
- Online Windows Enterprise Certificate Authority (2008 R2 or higher recommended)
- vSphere CLI (I’ve tested with 5.x)
- Properly configured Windows Certificate template (see blog post here)
- DNS “A” record for your ESXi host
- Existing D:\Certs directory
If your ESXi host is already managed by vCenter, the HA agent can get very confused by the new SSL certificate thumbprint. I would strongly suggest you first put your host in maintenance mode, remove it from the vCenter inventory, update the SSL certificate, reboot the ESXi host, then re-add it to the vCenter inventory.
Since the script includes the creation of the CSR, you will need to modify the basic attributes of the SSL certificate variables, as shown in red below. Once you’ve modified the variables for your environment, just open an elevated VMware vSphere CLI prompt (not just a regular command prompt) and type the script name followed by the FQDN of your ESXi server.
The script will create a CSR, submit the CSR to your MS online CA, download the new certificate, and upload it to your ESXi host. You will be prompted twice to enter the root credentials of your ESXi host. Now simply reboot your ESXi server, re-add it to your inventory, and you are done! Can’t get much easier than this folks. In my case the CA certificate life is shorter than what my certificate template requested, so I got a warning message.
The script has some error checking, but it’s not super robust. You might get tripped up on the Cert_Template and CA_Name variables, so let me explain them. The Cert_Template is “template name” NOT the “Template display name”. While they are the same in my example, the “Template name” usually has spaces removed.
The CA_Name is NOT simply the hostname of your CA, but is the hostname of the CA AND the CA name which was configured during the CA installation process. You can find the CA name by opening the Certification Authority MMC and looking at the left pane.
Congratulations! You have now made it through the whole vCenter 5.1 installation process using trusted SSL certificates. Probably took way longer than you expected, and much more tedious than it should be. I would hope in vSphere v.Next that they overhaul what seems like a complete mess of internal handing of certificates. How about certificate revocation? How about the ability to completely remove a compromised certificate from all keystores?
@Echo off REM Change these variables for your environment. REM Do not put spaces between the = sign REM SSL Certificate Properties REM Country name must be exactly two letters Set countryName=US Set state=CA Set locality=San Diego Set organization=Contoso REM Certifiate Authority Properties Set Cert_Template=VMware-SSL Set CA_Name=D001DC02\Contoso-D001DC02-CA REM Existing parent path for the ESXi certificate directory Set Cert_Path=D:\certs REM REM -- Don't change anything below here -- REM set ESXiConfig=esxi.cfg if [%1]== ; GOTO :ERROR if not exist %Cert_Path%\ESXi mkdir %Cert_Path%\ESXi if exist "D:\program Files (x86)\VMware\Vmware vSphere CLI\bin" Set CLI=D:\program Files (x86)\VMware\Vmware vSphere CLI\bin if exist "C:\program Files (x86)\VMware\Vmware vSphere CLI\bin" Set CLI=C:\program Files (x86)\VMware\Vmware vSphere CLI\bin if exist "c:\OpenSSL-Win32\bin\openssl.exe" Set OpenSSL_BIN=c:\OpenSSL-Win32\bin\openssl.exe if exist "c:\OpenSSL-Win64\bin\openssl.exe" Set OpenSSL_BIN=c:\OpenSSL-Win64\bin\openssl.exe FOR /F "Tokens=1 delims=." %%A IN ("%1") DO SET Hostname=%%A ( Echo [ req ] Echo default_bits = 2048 Echo default_keyfile = rui.key Echo distinguished_name = req_distinguished_name Echo encrypt_key = no Echo prompt = no Echo string_mask = nombstr Echo req_extensions = v3_req Echo. Echo [ v3_req ] Echo basicConstraints = CA:FALSE Echo keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation Echo extendedKeyUsage = serverAuth, clientAuth Echo subjectAltName = DNS:%1, DNS:%hostname% Echo. Echo [ req_distinguished_name ] Echo countryName = %countryName% Echo stateOrProvinceName = %state% Echo localityName = %locality% Echo 0.organizationName = %organization% Echo commonName = %1 ) >%Cert_Path%\ESXi\%ESXiConfig% %OpenSSL_BIN% genrsa 2048 > %Cert_Path%\ESXi\rui.key %OpenSSL_BIN% req -out %Cert_Path%\ESXi\rui.csr -key %Cert_Path%\ESXi\rui.key -new -config %Cert_Path%\ESXi\%ESXiConfig% certreq -submit -f -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" %Cert_Path%\ESXi\rui.csr %Cert_Path%\ESXi\rui.crt "%CLI%\vifs.pl" --server %hostname% --put %Cert_Path%\ESXi\rui.key /host/ssl_key "%CLI%\vifs.pl" --server %hostname% --put %Cert_Path%\ESXi\rui.crt /host/ssl_cert Exit /B :ERROR Echo Please specify ESXi server FQDN (e.g. ESX01.domain.net).