Update VMWare ESXi SSL certificate

Another post in the category: I keep reinventing the wheel (or: I keep forgetting how I did stuff in the past). Here's how to renew your ESXi SSL certificate.

I use XCA, an excellent tool to manage certificates. For use with ESXi this is extra simple: it can import a CSR request and generate a certificate for it. Here are the steps:
  1. Open the ESXi web UI
  2. In the navigator (left pane) click Manage, then click the Security & Users tab -> Certificates -> Import new certificate (yes, I know, this doesn't sound very intuitive).
  3. In the new window click Generate FQDN signing request and click Copy to clipboard. Save this as a plain-text file (use notepad or any other text editor).
  4. Next, open XCA, go to the Certificate Signing Requests tab, click Import and select the file you just saved.
  5. Next, right-click the CSR and click Sign. Change options to your liking. In my case that is:
    • Select the intermediate CA certificate for signing
    • Select the domain template and click "Apply all"
  6. Click OK and head over to the Certificates tab. The newly created certificate should be shown in the list. Export it as PEM.
  7. Open the file with a text editor (like notepad). Copy the entire contents.
  8. Back to the ESXi UI, paste the contents of the PEM file in the "Import certificate" window and click OK.
The new certificate is now installed. ESXi will show a message that you should refresh your browser, so do that. You may have to refresh a few times, or better, disable cache temporarily, then refresh. Eventually the new SSL cert should be used. No need to 'restart the host'.
Tested on ESXi 7.0u3

No comments:

Post a Comment