This article explains how to install SSL certificates on your ESXi machine & vCenter for browser compatibility.
First, on your Linux server, generate SSL certificate as explained below.
This will generate both private key and csr file. If you are generating certificate for multiple hosts, create separate directory for each host.
cd /tmp mkdir your-esx-hostname cd your-esx-hostname openssl req -new -nodes -out rui.csr -config /tmp/openssl.conf
The above command will generate the following two files:
- rui.key – Private key for this host
- rui.csr – Certificate signing request file
For detailed steps, refer to how to generate SSL certificate article.
Use an sFTP Client (for example, winSCP) to download the directories you created to your workstation (c:\temp). These files then can be used to generate .cer file (certificate) which can be installed on ESXi. Move the .cer to the same directory as the .key to your workstation C:\temp\your-esx-hostname\
Install Certificates on ESXi
1. Put the host in maintenance mode.
2. Backup the old certificates.
3. Copy the new certificate and key. Open vCLI. Start > All Programs > VMware > VMware vSphere CLI > Command Prompt, and execute the following:
perl vifs.pl –server --put C:\temp\your-esx-hostname\.cer /host/ssl_cert perl vifs.pl –server --put C:\temp\your-esx-hostname\rui.key /host/ssl_key
4. Reload the certificate. Login to DCUI Select Troubleshooting Options -> Select Restart Management Agents. Or, you can just reboot the host to reload the certificate.
5. Cleanup: Remove the backup from C:\temp on your workstation. Remove the \tmp\ directory from the linux server. Exit maintenance mode.
Finally, verify your certificate: Connect to the host with a web browser. You should not see any certificate errors. Click the “Lock” icon and select “view certificate”. Check the “valid from” date to ensure everything correct date.
Install Certificates on Your vCenter
1. Generate the CSR and the private key using the same steps outlined above using the Linux server. Replace ESX hostname with the vcenter hostname.
2. Use an sFTP Client (for example, winSCP) to download the directories you created to your workstation (c:\temp)
3. These files then can be used to generate .cer file (certificate) which can be installed on vcenter. Move the .cer to the same directory as the .key to your workstation C:\temp\your-esx-hostname\
4. The .cer file which is generated must be uploaded back to the Linux which is used to generate the PFX file.
5. Using WinSCP, upload the .cer to the /tmp/ directory of the server.
6. SSH into the host, and do the following:
First, rename the certificate.
cd /tmp/ mv .cer rui.crt
Next, generate PFX using openssl command:
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword –out rui.pfx
Verify your PFX file. Enter “testpassword” whenever it prompts for a password. It may ask for the password more than once. If you see certificate details, the PFX has been generated correctly.
openssl pkcs12 -in rui.pfx –info
7. SCP rui.cer and rui.pfx file back to your workstation C:\temp\
8. This directory C:\temp\ should now contain 3 files: rui.key, rui.crt, and rui.pfx
9. RDP into the vCenter Server, and go to: %programdata%\VMware\VMware VirtualCenter\SSL
10. Create a new folder called “Backup” and move the existing rui.key, rui.pfx, and rui.crt to the Backup folder. Repeat for Inventory Services Certificates: E:\Program Files (x86)\VMware\Infrastructure\VirtualCenter Server\Inventory Service\ssl
11. Copy rui.pfx, rui.crt, and rui.key from your workstation to the following directories on the vCenter Server.
- %programdata%\VMware\VMware VirtualCenter\SSL
- E:\Program Files (x86)\VMware\Infrastructure\VirtualCenter Server\Inventory Service\ssl
12. Open a web browser on the vCenter Server and go to: http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1
- Click on reloadSSLCertificate
- Click on Invoke Method
- It should return void
- Close the browser
13. To verify the certificate, open a web browser and enter the URL of the vCenter Server. There should be no certificate warnings.
14. Finally, to Cleanup the old certificates, do the following:
- On the vCenter Server, browse to: %ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter
- Open vpxd.cfg in wordpad.
- Change the value of to false
- Save and close the file.
- Restart the vCenter Service:
- Start > Administrative Tools > Services
- Click on VMware VirtualCenter Server
- Click Restart
- Remove the backup from C:\temp.
- Remove the \tmp\ directory from the Linux server.