VMware vSphere

 View Only
Expand all | Collapse all

Installing our own SSL certificate

  • 1.  Installing our own SSL certificate

    Posted Nov 27, 2019 09:02 AM

    Hi all,

    I seem to be going round in circles trying to upload a SSL certificate to ESXi 6.7.0. We are not managing this through and vCenter server, its a standalone VM which will be host to a Cisco 9800 CL device.

    So far we have a SSL certificate in use by ESXi which has been generated by ESXi.

    Issuer

    O=VMware Installer

    Not valid after

    Tuesday, May 27, 2031, 18:16:46 +0100

    Not valid before

    Tuesday, November 26, 2019, 17:16:46 +0000

    Subject

    unstructuredName=1574788605\,564d7761726520496e632e,CN=smyserver.mycompany.local,emailAddress=ssl-certificates@vmware.com,OU=VMware ESX Server Default Certificate,O=VMware\, Inc,L=Palo Alto,ST=California,C=US

    Whenever I browse to the webGUI of this device I am getting a security alert which is to be expected as I have not installed the above certificate but my aim is to use our local STAR.mycompany.local certificate on the ESXi device as this is what we use on all of our servers around the company. The certificate is then pushed out across our domain so no id

    So, I have tried to replace the SSL cert with our company certificate but it just gives errors and reverts back to the original one. I have tried to follow several guides also and 9 times out of 10 I am losing all access to the device and I have to reinstall. I am using a PEM file but maybe it has to be converted somehow?

    Can anyone give me any tips on how I can get this to work?



  • 2.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 09:17 AM

    Hi,

    replacing the SSL/ TLS certificates can be complex, especially if you have not fully understand how PKI works (I think I understand PKI, but replacing certificates can be challenging). I'm using this KB article (VMware Knowledge Base KB2097936) when I have to replace or modify VCSA certificates.

    I tend to deploy the VMCA as a Sub-CA of my Root- or Issuing CA. In this case, the VMCA can issuing certificates for my ESXi hosts and I only have to deploy the Sub-CA certificate from the VMCA.

    What certificate do you have? A single wildcard certificate?



  • 3.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 09:45 AM

    Hi Blazilla,

    Thanks for your reply. I have had a look at the knowledge base article that you referenced and tried to work through it but I fail at the first hurdle!

    [root@myserver:~] /usr/lib/vmware-vmca/bin/certificate-manager

    -sh: /usr/lib/vmware-vmca/bin/certificate-manager: not found

    I think I have every certificate type going and I have tried all of them, all of them say they have failed.

    I have wildcard.local.cert.pem, intermediate.cert.pem, chain.cert.pem, key.pem, and ca.cert.pem. I don't really understand the difference between them all or what the ESXi is specifically looking for.

    If I inspect the existing certificate generated by the ESxi it looks the same as my wildcard.local.cert.pem and around the same length but it just won't accept it.



  • 4.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 09:48 AM

    Do you try to enter the command at the Bash prompt of the vCenter Server Appliance??



  • 5.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 09:54 AM

    Hi,

    I'm not using vCenter its just standalone ESXi via the navigator or direct SSH as we only have a VMware vSphere 6 Hypervisor license.

    Can it be done without obtaining a license for vCenter?



  • 6.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 09:57 AM

    Ah okay, when using ESXi, you have to use a different way. Check this VMware KB article: VMware Knowledge Base



  • 7.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 10:38 AM

    Hmm, I seem to be making slow progress but its some progress!

    I read through and found this article Replace the Default Certificate and Key from the ESXi Shell which I followed as it seemed more appropriate to our setup. The guide you supplied I think assumed that the host was on Windows.

    So, I renamed the key and crt like it suggested and replaced them with our own and rebooted.

    It's now pinging back, I can access via SSH and I do not get any security warnings when attempting to connect to the navigator...but it says the site cannot be reached.

    Any ideas apart from rolling back to the original files?

    BTW, thanks for all your help so far!



  • 8.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 10:40 AM

    Do you have a backup of the original certificate files?



  • 9.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 10:45 AM

    Yeah I have them, worst case scenario I can just restore them. So frustrating though, I feel so close yet so far from finding the solution!

    EDIT: I take that back, I've just gone to restore and they aren't there! Not having much luck!



  • 10.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 11:02 AM


  • 11.  RE: Installing our own SSL certificate

    Posted Nov 27, 2019 12:03 PM

    Thank you! Saved me from having to reinstall but I'm back to square one again now :smileysad:



  • 12.  RE: Installing our own SSL certificate

    Posted Dec 02, 2019 08:06 PM

    Standalone server ESXi 6.7:

    Manage > System > Advanced settings. Set Misc.PreferredHostName (shortname).

    Networking > TCP/IP stacks > Default TCP/IP stack. Set Host name and Domain name. Maintenance mode and reboot the host to take changes.

    Manage > Security & users > Certificates. Click Import new certificate.

    Most likely you want Generate FQDN signing request. Copy the CSR into a text file (DO NOT REBOOT HOST OR THE PENDING CSR PRIVATE KEY IS WIPED AND YOU WILL HAVE TO GENERATE A NEW REQUEST).

    Send the text file to your CA admin, point them to these articles for CSR requirements and CA template requirements.

    Requirements for ESXi Certificate Signing Requests

    VMware Knowledge Base

    Export the signing CA Root and any Intermediary if your environment has any, PEM format so it is text readable.  The certificate file you get back from the request, open in notepad. Same for the CA root and intermediaries. Make sure each BEGIN CERTIFICATE and END CERTIFICATE are on their own line. For example:

    -----BEGIN CERTIFICATE-----

    <Certificate of Host>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <Certificate of intermediary CA>

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    <Certificate of Root CA>

    -----END CERTIFICATE-----

    Go back to Manage > Security & users > Certificates. Open Import new certificate, copy the entire certificate text file with the intermediaty/Root CA certificates, and paste into the region provided. Click Import button at the bottom.



  • 13.  RE: Installing our own SSL certificate

    Posted Dec 03, 2019 01:36 AM

    As per the mentioned KB (KB2113926), ESXi does not support wildcard certificates. The certificate has to be unique to the host it applies to.