Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
EE Fellow, MVE, Expert of the Year 2021,2017-11, Scribe 2016-2012, Author of the Year 2018-6,2013-2012 VMware vExpert Pro, vExpert 2022-2011
Published:
Updated:
Browse All Articles > HOW TO: Configure and Replace the SSL Certificate on a VMware vSphere Hypervisor 5.1 (ESXi 5.1) Host Server
In my previous VMware Articles, most featured Intermediate VMware Topics. My next series of articles will concentrate on topics for the VMware Novice; this is the twelfth article in this series.
If you would like to read the other articles in this series, they are listed here for your convenience.
During this series of articles VMware released VMware vSphere 5.5 and VMware vSphere Hypervisor ESXi 5.5. These articles are also applicable to VMware vSphere Hypervisor ESXi 5.x and 5.5. For consistency, I have used VMware vSphere Hypervisor ESXi 5.1 throughout this series.
In this series of basic VMware articles for the Novice, I'll be showing you the basic VMware skills required to install, configure and deploy virtual machines using VMware's FREE VMware vSphere Hypervisor (ESXi).
A Security Warning will appear, stating an untrusted SSL certificate is installed on your server. This is normal, because it's a VMware "self-signed" certificate.
In this tutorial article, I will outline a procedure, on HOW TO: Configure and Replace the SSL Certificate on a VMware vSphere Hypervisor 5.1 (ESXi 5.1) Host Server.
The above software products must be installed, it's beyond the scope of this document to show how to install the software prerequisites.
1. Creating the SSL certificate request
Firstly we need to erase the contents of the file openssl.cfg, by default this file can be found in the folder C:\OpenSSL-Win32\bin. I would recommend making a backup of this file, in case it's required later. Open the file with WinVi32.
Replace the contents of the file with this template
when it states writing new private key... the certificate request has been created and stored in the file rui.csr The Certificate Key request needs to be in RSA format. To convert the key to RSA format type the following command:
after it states writing RSA key, the certification request has been completed. If you open the rui.csr certificate with WinVi32, you should see a file similar to the following:- (do not alter or edit your file, these certificates listed below are examples and will not provide you with a certificate!)
It is important you keep the rui.csr, rui.key. The rui.key is your private key, and you must protect this carefully, and ensure you have a backup. (do not send this to anyone). The rui.csr is a certificate request, to request a SSL certificate.
2. Obtaining the SSL certificate
The certificate request file (rui.csr) must be given to a certificate authority (CA) for generation of the actual certificate for the VMware vSphere Hypervisor 5.1 (ESXi 5.1) host server. The CA will send you back a certificate for installing on your VMware vSphere Hypervisor 5.1 (ESXi 5.1) host server.
Send the certificate request file (rui.csr) to a Certificate Authority (CA). I can recommend the following for inexpensive trusted SSL Certificate Authorities.
The Certificate Authority (CA) will send you back the generated certificate.
Rename the certificate rui.crt. If you open the rui.crt certificate with WinVi32, you should see a file similar to the following:- (do not alter or edit your file, these certificates listed below are examples and will not provide you with a certificate!)
3. Configure and Replace the SSL Certificate on a VMware vSphere Hypervisor 5.1
Using WinSCP, login to the VMware vSphere Hypervisor 5.1 host server, and make copies of the existing rui.crt and rui.key, these can be found in /etc/vmware/ssl.
Using WinSCP copy your new rui.crt and rui.key from your Windows PC to the VMware vSphere Hypervisor 5.1 host server, /etc/vmware/ssl
If you need to enable SSH, please see my previous Experts Exchange article Part 5: HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 5.1 (ESXi 5.1)
Shutdown and restart your VMware vSphere Hypervisor 5.1 (ESXi 5.1) host server. Once the server has been restarted, it will use the new SSL certificate. When connecting from Internet Explorer or the VMware vSphere Client using the correct fully qualified domain name (FQDN), there will no longer be a SSL certificate security warning issued. Congratulations, you have successfully Configured and Replaced the SSL Certificate on a VMware vSphere Hypervisor 5.1 (ESXi 5.1) Host Server
****************************************************************************
Thank you for reading my article, please leave valuable feedback. If you liked my VMware article and would like to see more Articles from me, please click the Yes button near the: Was this article helpful? at the bottom of this article just below and to the right of this information. Thank You. Do not forget if you have a question about this article or another VMware, Virtualisation, Windows Server 2012 question, why not post a Question for me and the other Experts Exchange Experts in the VMware, Virtualisation, Windows 2008, Windows 2012 Zones. I look forward to hearing from you. - Andy :- twitter @einsteinagogo
****************************************************************************
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
EE Fellow, MVE, Expert of the Year 2021,2017-11, Scribe 2016-2012, Author of the Year 2018-6,2013-2012 VMware vExpert Pro, vExpert 2022-2011
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
This award is reserved for members who have accomplished extraordinary things, sustained quality tech contributions, and shown great leadership efforts over a long period of time.
This award recognizes experts who help improve Experts Exchange with their contributions to the site, leadership and mentorship efforts, and set an example within the community.
Hi, great article as usual Andrew. And I want to say : still valuable after 8 years! I make this comment long after because I just had a situation with ESX 6.7 SSL certificate from custom CA, and it helped me, along with blogs and all VMware KBs related to the subject. Thanks!
Our community of experts have been thoroughly vetted for their expertise and industry experience. Experts with Gold status have received one of our highest-level Expert Awards, which recognize experts for their valuable contributions.
This award is reserved for members who have accomplished extraordinary things, sustained quality tech contributions, and shown great leadership efforts over a long period of time.
This award recognizes experts who help improve Experts Exchange with their contributions to the site, leadership and mentorship efforts, and set an example within the community.
IMHO each KB was really incomplete without the others... In my case I had a root MSCA with also an intermediate MSCA, and was already in hybrid mode with the vCSA part. So I add the ESX part and it worked fine.
Comments (7)
Author
Commented:Commented:
Commented:
great article as usual Andrew. And I want to say : still valuable after 8 years!
I make this comment long after because I just had a situation with ESX 6.7 SSL certificate from custom CA, and it helped me, along with blogs and all VMware KBs related to the subject.
Thanks!
Author
Commented:Thanks for your kinds words
to be honest with you I had forgotten I had written an article about this, there are so many > 100 articles and videos.
I'm slowly re-publishing all the articles for 7.0, and also videos, so maybe I'll bring this one up to date and current!
This will be the next article for 7.0!
Andy
Commented:
Here are the 3 KBs I used yesterday on 6.7 :
https://kb.vmware.com/s/article/2113926
https://kb.vmware.com/s/article/2015387
https://kb.vmware.com/s/article/2112014
IMHO each KB was really incomplete without the others...
In my case I had a root MSCA with also an intermediate MSCA, and was already in hybrid mode with the vCSA part. So I add the ESX part and it worked fine.
View More