VMware vCenter 5.1 Installation: Part 15 (ESXi Host SSL certificate)

Last year when I was writing my multi-part vSphere 5.1 installation and configuration series I didn't include instructions on how to replace the ESXi host SSL certificate. That process hasn't changed for ages, so I put it on the back burner. Now the time has come to show you part 15 of the vSphere 5.1 install series, which is a semi-automated method to replace your ESXi (4.x and 5.x) host SSL certificates. This process will be obsoleted by the vCert Manager that should come out in the coming months. But in the mean time, hopefully this post will prove useful to some people.

vSphere 5.1 has relaxed the ESXi host certificate requirements a bit by not requiring the dataencipherment and nonrepudiation key properties. However, I've included them in my script in case you have any 5.0 or 4.x hosts. It won't hurt to have these properties enabled on a ESXi 5.1 certificate though.

Basic requirements for the script are:

• ESXi 4.x or 5.x host(s)
• OpenSSL installed (0.9.8 or higher, 32-bit or 64-bit)
• Online Windows Enterprise Certificate Authority (2008 R2 or higher recommended)
• vSphere CLI (I've tested with 5.x)
• Properly configured Windows Certificate template (see blog post here)
• DNS "A" record for your ESXi host
• Existing D:\Certs directory

If your ESXi host is already managed by vCenter, the HA agent can get very confused by the new SSL certificate thumbprint. I would strongly suggest you first put your host in maintenance mode, remove it from the vCenter inventory, update the SSL certificate, reboot the ESXi host, then re-add it to the vCenter inventory.

Since the script includes the creation of the CSR, you will need to modify the basic attributes of the SSL certificate variables, as shown in red below. Once you've modified the variables for your environment, just open an elevated VMware vSphere CLI prompt (not just a regular command prompt) and type the script name followed by the FQDN of your ESXi server.

The script will create a CSR, submit the CSR to your MS online CA, download the new certificate, and upload it to your ESXi host. You will be prompted twice to enter the root credentials of your ESXi host. Now simply reboot your ESXi server, re-add it to your inventory, and you are done! Can't get much easier than this folks. In my case the CA certificate life is shorter than what my certificate template requested, so I got a warning message.

The script has some error checking, but it's not super robust. You might get tripped up on the Cert_Template and CA_Name variables, so let me explain them. The Cert_Template is "template name" NOT the "Template display name". While they are the same in my example, the "Template name" usually has spaces removed.

The CA_Name is NOT simply the hostname of your CA, but is the hostname of the CA AND the CA name which was configured during the CA installation process. You can find the CA name by opening the Certification Authority MMC and looking at the left pane.

Congratulations! You have now made it through the whole vCenter 5.1 installation process using trusted SSL certificates. Probably took way longer than you expected, and much more tedious than it should be. I would hope in vSphere v.Next that they overhaul what seems like a complete mess of internal handing of certificates. How about certificate revocation? How about the ability to completely remove a compromised certificate from all keystores?

Stay tuned for the vCert Manager tool, coming in 2013, which will help automate the certificate replacement process.

--
@Echo Off
REM VMware ESXi SSL Certificate replacement script by Derek Seaman
REM Blog: Derek858.blogspot.com
REM Change these variables for your environment.
REM Do not put spaces between the = sign

REM SSL Certificate Properties
REM Country name must be exactly two letters

Set countryName=US
Set state=CA
Set locality=San Diego
Set organization=Contoso

REM Certifiate Authority Properties
Set Cert_Template=VMware-SSL
Set CA_Name=D001DC02\Contoso-D001DC02-CA

REM Existing parent path for the ESXi certificate directory
Set Cert_Path=D:\certs

REM
REM -- Don't change anything below here --
REM

set ESXiConfig=esxi.cfg

if [%1]==[] ; GOTO :ERROR

if not exist %Cert_Path%\ESXi mkdir %Cert_Path%\ESXi

if exist "D:\program Files (x86)\VMware\Vmware vSphere CLI\bin" Set CLI=D:\program Files (x86)\VMware\Vmware vSphere CLI\bin

if exist "C:\program Files (x86)\VMware\Vmware vSphere CLI\bin" Set CLI=C:\program Files (x86)\VMware\Vmware vSphere CLI\bin

if exist "c:\OpenSSL-Win32\bin\openssl.exe" Set OpenSSL_BIN=c:\OpenSSL-Win32\bin\openssl.exe

if exist "c:\OpenSSL-Win64\bin\openssl.exe" Set OpenSSL_BIN=c:\OpenSSL-Win64\bin\openssl.exe

FOR /F "Tokens=1 delims=." %%A IN ("%1") DO SET Hostname=%%A
(
Echo [ req ]
Echo default_bits = 2048
Echo default_keyfile = rui.key
Echo distinguished_name = req_distinguished_name
Echo encrypt_key = no
Echo prompt = no
Echo string_mask = nombstr
Echo req_extensions = v3_req
Echo.
Echo [ v3_req ]
Echo basicConstraints = CA:FALSE
Echo keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
Echo extendedKeyUsage = serverAuth, clientAuth
Echo subjectAltName = DNS:%1, DNS:%hostname%
Echo.
Echo [ req_distinguished_name ]
Echo countryName = %countryName%
Echo stateOrProvinceName = %state%
Echo localityName = %locality%
Echo 0.organizationName = %organization%
Echo commonName = %1
) >%Cert_Path%\ESXi\%ESXiConfig%

%OpenSSL_BIN% genrsa 2048 > %Cert_Path%\ESXi\rui.key
%OpenSSL_BIN% req -out %Cert_Path%\ESXi\rui.csr -key %Cert_Path%\ESXi\rui.key -new -config %Cert_Path%\ESXi\%ESXiConfig%

certreq -submit -config "%CA_NAME%" -attrib "CertificateTemplate:%Cert_Template%" %Cert_Path%\ESXi\rui.csr %Cert_Path%\ESXi\rui.crt

"%CLI%\vifs.pl" --server %hostname% --put %Cert_Path%\ESXi\rui.key /host/ssl_key
"%CLI%\vifs.pl" --server %hostname% --put %Cert_Path%\ESXi\rui.crt /host/ssl_cert

Exit /B

:ERROR
Echo Please specify ESXi server FQDN (e.g. ESX01.domain.net).