In this Lab we will perform following tasks
- Configure CA (Singed certificate) prerequisite.
- Create certificate request
- Getting the singed certificate from CA.
- For Commercial CAs (it’s optional in our case)
- For Microsoft CA
- Install and configure certificate signed certificate on ESXi Host
- Verify ESXi Signed SSL Certificate.
- Use case 1: if you are checking from domain (vmlab.com) joined system
- Use case 2: if you are checking from non-domain (vmlab.com) joined system
1-Configure CA (Singed certificate) prerequisite.
There are several different work flows required for a successful implementation of SSL Certificate on ESXi Hosts. This information has been taken from VMWare KB article (2015387):
- Creating the certificate request
- Getting the singed certificate from CA
- Installation and configure signed certificate on the ESXi host
Note: Wildcard certificates are not supported at the time of this post.
These steps must be followed to ensure successful implementation of a custom certificate for an ESXi 5.x host. Before attempting these steps ensure that:
- You have a vSphere 5.x environment.
- Configuring OpenSSL (in Windows) for installation and configuration of CA signed certificates in the vSphere environment (See KB 2015387), in my case I am Linux Utility of open SSL.
- You have an SSH client (such as Putty) installed
- You have a SFTP/SCP client (such as WinSCP) installed
2-Create Certificate request
Open the SSH session. Before proceeding further, verify SSL is installed properly, in Linux use below cmd.
To Generate CSR. (This will create the certificate request rui.csr.)
Note: make sure “common name” is exact the same name (FQDN) as you entered in DNS.
Convert the Key to be in RSA format by running the following command:
Verify the converted RSA key.
When “rui.csr” is created, proceed to Getting the certificate
3-Getting the singed certificate from CA
After the certificate request is created, the certificate must be given to the certificate authority for generation of the actual certificate. The authority will present a certificate back, as well as a copy of their root certificate, if necessary. For the certificate chain to be trusted, the root certificate must be installed on the server.
For Commercial CAs (it’s optional in our case):
Take the certificate request (rui.csr, as generated above) and send it to the authority in question.
The authority will send back the generated certificate.
Install the root certificate onto the vCenter server before proceeding to the Installation of the certificate section of this document.
For Microsoft CA:
Log in to the Microsoft CA certificate authority web interface. By default, it is http://<servername>/CertSrv/
Click Request a certificate.
Click advanced certificate request.
Click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10” file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Open the certificate request (rui.csr) in a plain text editor.
Copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box. Make sure no blank space exists in the start and end.
Click “VMWare Template” (which we created in CA Server installation section ). Click “Submit” to submit the request.
Click “Base 64 encoded” on the Certificate issued screen.
Click “Download Certificate”.
*NOTE: Save the certificate on the desktop or any other drive of the server as “rui.crt”*
Here is the final look.
When complete, proceed to Installing and configuring the certificate on the ESXi host to complete the configuration of the custom certificate.
4-Install and Configure signed certificate on ESXi Host
After the certificate is created
Log in to vCenter Server (https://vc-rg.vmlab.com:9443/vsphere-client)
Put host into Maintenance Mode
Verify ESXi is in maintenance mode.
Navigate to the console of the server to enable SSH on the ESXi 5.x host.
Press “F2” to log in to the Direct Console User Interface (DCUI).
Click Troubleshooting options > Enable “SSH” (Skip this if SSH is already enabled)
Log in (SSH) to the host (launch the putty).
Navigate to “/etc/vmware/ssl” directory, Copy ssl files to a backup location. In my lab, I created a backup folder in the same place and move the existing certificate files into the back folder as shown.
Log in to the host with WinSCP.
Delete the existing “rui.crt” and “rui.key” from the directory (/etc/vmware/ssl)
NOTE: (skip this step because we already took the backup).
Drag the “rui.cer” and “.key” file from desktop to esxi host (/etc/vmware/ssl), it will prompt you click copy
Type less “rui.crt” to validate that there are no special characters ( ^M) appearing in the certificate file.
*NOTE: There should not be any erroneous ^M characters at the end of each line.*
Switch back to the “DCUI” of the host and select “Troubleshooting Options” -> “Restart Management Agents”
When prompted press “F11” to restart the agents. Wait until they are restarted.
Press “ESC” several times until you logout of the DCUI.
Exit the host from “Maintenance Mode”.
When complete, the host is made available and successfully rejoins the cluster.
*NOTE: If you have fresh environment and your host did not join the vCenter then skip maintenance mode step and install certificate directly to the host*
5-Verify ESXi Singed SSL Certificate.
To verify, open the ESXI web page https://esxi-1-rg.vmlab.com. You should see SSL Certificate warning message before singed certificate installation.
After SSL installation.
Use case 1: if you are checking from domain (vmlab.com) joined system.
*In this use case. Every system in on the same domain where the CA Server exists.it is the feature of Enterprise Root CA. every host automatically get the root CA when he joined the domain*
There is no SSL certificate anymore. Great work 🙂
Check the Certificate.
Click on Lock Sign and view the certificate info. For detail click on view certificates
Check the Issuer certificate authority and issued info with validity period of this certificate.
Check and verify the Certificate chain
Use case 2: if you are checking from non-domain (vmlab.com) joined system.
*In this use case your system is not on CA domain (vmlab.com) then you have to manually trust the CA root certificate in order to trust his underlying issued certificates structure*
Click on Certificate error-> View Certificates
See even the correct Certificate we got the error message.
Download the Root CA
Go to CA server. Open (http://ip-of-the-host/certsrv)
Click on Download a “CA Certificate, certificate chain, or CRL”
Select “Base 64”. Click “download CA certificate” to download root CA.
Place the certificate (Root CA) on the machine which was not on domain and you want to “import root CA”.
Right click on certificate -> install certificate -> click “Next”
Select “Place all certificate in the following store”, click browse and “select trusted root certificate.”
Click “Next” -> “Finish”
Then wait for few sec. you will prompt the security warning – click “yes”
Open the ESXi URL (https://esxi-1-rg.vmlab.com) again or just refresh it.
You will notice the lock sign. No more certificate warnings 🙂
REPEAT THE SAME STEPS FOR OTHER (RESOURCE GROUP AND MANAGEMENT) ESXI SERVERS TO INSTALL SINGED CERTIFICATE