Adding Custom Certificate on ESXi hosts through CLI
search cancel

Adding Custom Certificate on ESXi hosts through CLI

book

Article ID: 317244

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The KB outlines the steps to add custom certificate as the root CA to the ESXi trusted domain without bypassing the certificate based SSL authentication. The root CA can then be used to sign other intermediate CERTs and/or the host certificate file (i.e. private key – public key pair).Before making any changes you may like to validate with customer if they are using any third party trusted certificates.


Environment

VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.0
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 7.0.0

Resolution

Process to add Custom Certificate on ESXi hosts through CLI:

  1. Set the vCenter Server to custom certificate mode by following the steps in the link outlined here .
  2. Ensure the custom Root certificate is retrieved in advance before proceeding.
  3. Place the ESXi host in maintenance mode (Evacuate all data to other hosts)
  4. Disconnect the ESXi host from the cluster.
  5. SSH into the ESXi host
  6. Run this command to take a backup of the castore.pem file:
# cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.bak
Note: The system will be rebooted in the following steps. If user wants to access the castore.pem.bak in future probably, please copy (using scp) this file out from the ESXi host.
  1. Copy the Root certificate to /etc/vmware/ssl/Root.cer
Note: If the user has one or more intermediate certificate authorities, the Root certificate must be a chain of all intermediate certificates and root certificate. 
  1. Append the Root certificate to castore.pem file by command:
# cat Root.cer >> castore.pem
Note: User can append multiple root certs however the ESXi host certificate file should be signed by one root certificate ( the pem file should contain, the machine ssl, the intermediate ssl, and the root cert)
  1. Delete the Root certificate by command:
# rm Root.cer
  1. Replace the default rui.crt and rui.key with trusted CA-signed certificate and key per Replace the default Certificate and Key from the ESXi Shell.
  2. After applying the custom certificate in ESXi hosts, the user needs to persist those changes into the system disk by running /sbin/auto-backup.sh
  3. Restart the ESXi host.
  4. Reconnect the ESXi host back to the original cluster.
  5. Exit maintenance mode.
NOTE: This process can be used on a vSAN cluster to authenticate hosts utilized in the vSAN cluster. As Chrome IE and Edge does not give option to download the PEM CERTS , the customer may use Mozilla Firefox for Windows.
Powered by Wolken Software