Implementing CA signed SSL certificates with vSphere 5.x – Part 5– ESXi and Automation

In the previous posts, we discussed the need for certificates, how to obtain certificates, implementing certificates on a vCenter Server Appliance, vCenter Update Manager server and finally a vCenter Orchestrator Appliance. Although there are more vSphere components, we conclude with the implementation of certificates for ESXi hosts.

ESXi hosts

The configuration of CA certificates is explained in KB “Configuring CA signed certificates for ESXi 5.x hosts (2015499)”. Most important remark in this KB; “Each server must be unique to the component as it ties to the fully qualified domain name of the server. As such you cannot just take a single certificate and apply it to all hosts. Wildcard certificates are currently not supported, but even if they were, it is much more secure to have a proper certificate for each host.”

To create a certificate request for multiple ESXi servers, you can follow the procedure as describes in KB “Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387)”.

  • Replace the contents of the file c:\OpenSSL-Win32\bin\openssl.cfg with the presented code.
  • Enter the details for the first server (red sections).
  • Generate the certificate request by executing the command:
    openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
  • Create a folder for each ESXi server and store the new certificate request file csr.
  • For the next server, adjust the details in the cfg file. Most likely, hostname and IP address. And so on.

The process for obtaining certificates is the same as for the other components. So after obtaining the certificates, the final part is installing and configuring the certificate on the ESXi host.
The steps are well explained in KB “Configuring CA signed certificates for ESXi 5.x hosts (2015499)”.
In essence, it comes down to replacing the files rui.crt and rui.key in the folder /etc/vmware/ssl. During this action, the ESXi host must be put into maintenance mode.

Be aware of the following:

  • If the host is part of a View Cluster, additional steps may need to be performed.
  • If the vCenter Server is not 5.0 U1 or later, the configuration of VMware HA will fail. A workaround is available in KB 2006210.


After going through the posts and Knowledge Base articles, one thing is very clear, replacing certificates is time consuming and tedious task. It is also a task that asks for automation.

VMware has released the SSL Certificate Automation Tool. Until now three version s are available:

  • SSL Certificate Automation Tool 1.0 is supported with vSphere 5.1
  • SSL Certificate Automation Tool 1.0.1 is supported with vSphere 5.1 Update 1 and later, excluding vSphere 5.5
  • SSL Certificate Automation Tool 5.5 is supported with vSphere 5.5

The SSL Certificate Automation Tool must be run on a Windows Server (2003 R2 SP2, 2008 R2 SP1, 2012 Standard or Datacenter).
As of version 1.0.1., the tool automates the creation of certificate requests, but does not automate the submission of the certificate requests to a CA.
The tool has some prerequisites and requirements; the best part of the tool is the Update Steps Planner. This option allows you to determine the order in which you should update the various components.

More information can be found in the following KBs:
Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600)
Deploying and using the SSL Certificate Automation Tool 5.5 (2057340)

While using the SSL Certificate Automation Tool, Certificate Signing Requests still needs to be created, see KB Generating certificates for use with the VMware SSL Certificate Automation Tool (2044696).

Derek Seaman has published a very useful PowerShell script (Derek’s Toolkit Script) which can help you in the process of obtaining certificates and many more tasks. The script and excellent instructions can be found here.

If you are in the process of installing or upgrading a vSphere environment, I highly recommend reading more of Derek’s posts!

As always, I thank you for reading.

This is the third post in a series about implementing CA signed SSL certificates in a vSphere 5.x environment.

Part 1 – Introduction.

Part 2 – Obtaining Certificates.

Part 3 – Implementing CA signed SSL certificates for the vCenter Server Appliance

Part 4 – Implementing CA signed SSL certificates for the vCO/vRO

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: