Process to add Custom Certificate on ESXi hosts through CLI:
- Set the vCenter Server to custom certificate mode by following the steps in the link outlined here .
- Ensure the custom Root certificate is retrieved in advance before proceeding.
- Place the ESXi host in maintenance mode (Evacuate all data to other hosts)
- Disconnect the ESXi host from the cluster.
- SSH into the ESXi host
- Run this command to take a backup of the castore.pem file:
# cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.bak
Note: The system will be rebooted in the following steps. If user wants to access the castore.pem.bak in future probably, please copy (using scp) this file out from the ESXi host.
- Copy the Root certificate to /etc/vmware/ssl/Root.cer
Note: If the user has one or more intermediate certificate authorities, the Root certificate must be a chain of all intermediate certificates and root certificate.
- Append the Root certificate to castore.pem file by command:
# cat Root.cer >> castore.pem
Note: User can append multiple root certs however the ESXi host certificate file should be signed by one root certificate ( the pem file should contain, the machine ssl, the intermediate ssl, and the root cert)
- Delete the Root certificate by command:
# rm Root.cer
- Replace the default rui.crt and rui.key with trusted CA-signed certificate and key per Replace the default Certificate and Key from the ESXi Shell.
- After applying the custom certificate in ESXi hosts, the user needs to persist those changes into the system disk by running /sbin/auto-backup.sh
- Restart the ESXi host.
- Reconnect the ESXi host back to the original cluster.
- Exit maintenance mode.
NOTE: This process can be used on a vSAN cluster to authenticate hosts utilized in the vSAN cluster. As Chrome IE and Edge does not give option to download the PEM CERTS , the customer may use Mozilla Firefox for Windows.