Replace ESXi self-signed Certificate

You are here:
← All Topics
Contents

Steps to Replace ESXi self-signed certificate Certificate with wildcard SSL Certificate generated from Internal CA Server

How to Replace ESXi self-signed certificate Certificate

Prepare a INF file below and generate a wildcard SSL Certificate (*.lab.aventislab.com) from Internal CA Server by referring to Request SSL Certificate from Microsoft CA with Certreq

[NewRequest] 
FriendlyName = "*.lab.aventislab.com"
Subject = "CN=*.lab.aventislab.com" 
Exportable = TRUE ;TRUE = Private key is exportable
KeyLength = 2048 
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = TRUE 
[RequestAttributes]
CertificateTemplate="WebServer" ;Certificate Template
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
2.5.29.17 = "{text}" ; SAN - Subject Alternative Name
_continue_ = "dns=*.lab.aventislab.com&"  
_continue_ = "dns=lab.aventislab.com&"

Convert the star.pfx file to key & crt file

#Extract the private key from PFX 
openssl pkcs12 -in lab.pfx -nocerts -out lab.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

#Extract Crt from PFX 
openssl pkcs12 -in lab.pfx -clcerts -nokeys -out lab.crt
Enter Import Password:

#Remove the passphase 
openssl rsa -in lab.pem -out lab.key
Enter pass phrase for lab.pem:
writing RSA key

Upload lab.crt & lab.key to ESXi /tmp with scp

scp cert.cer root@192.168.1.160:/tmp
scp cert.key root@192.168.1.160:/tmp

Backup the existing rui.crt & rui.key in /etc/vmware/ssl

mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.bak
mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.bak

Move lab.crt & lab.key to **/etc/vmware/ssl **and rename it as rui.crt & rui.key

mv /tmp/lab.crt /etc/vmware/ssl/rui.crt
mv /tmp/lab.key /etc/vmware/ssl/rui.key

Reboot the ESXi host

reboot

Wildcard SSL Certificate is associated with https://nuc2.lab.aventislab.com now

Replace ESXi self-signed certificate Certificate