Here is a step-by-step walk through by Tech Support Engineer Jasbinder Bhatti on how to install custom SSL certificates into your environment. These steps complement KB articles 1029944 and 1005210. We recommend you be familiar with those KB articles before you embark on this mission.
- Putty to the ESX Host and rename the existing key so you have backups and the ability to rollback after your new credential pair is generated and obtained from Certificate authority.
mv /etc/vmware/ssl/rui.key rui.keybackup
The following is an appropriate responses from ESX:
[root@esx001 ssl]# openssl req -new -keyout rui.key -out esx.csr Generating a 1024 bit RSA private key
- Send the csr file off the Certificate authority and wait for the Intermediate and new server certificate (servername.crt) to be returned to you. The newly generated key will not be usable until after the new Intermediate Key and matching server certificate are received back from Certificate authority. In the interim, rename the newly generated key for later use and restore the original backed up key as shown:
mv /etc/vmware/ssl/rui.key rui.keynew
mv /etc/vmware/ssl/rui.keybackup rui.keyYou will notice if you cat the rui.keynew file at this stage that its indicates its encrypted from the following lines once the new servername.crt and intermediate.crt files are received back from Certificate authority.
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 7, ENCRYPTED
DEK-Info: DES-EDE4-CXD,E23F5B5323EF34E4 - The intermediate.crt file will also need to imported (if not already done so) to the windows Certificate Store. Check for the existence of this Certificate in Internet Options >> Content on the Intermediate Certificates Tab.
- Rename the original certificate and key files (rui.crt and rui.key) files for backup purposes as shown:
mv /etc/vmware/ssl/rui.crt rui.crtbackup
mv /etc/vmware/ssl/rui.key rui.keybackup - Rename the servername.crt and rui.keynew to rui.crt and rui.key as follows
mv /etc/vmware/ssl/esxservername.crt rui.crt
mv /etc/vmware/ssl/rui.keynew rui.key - Reformat the x509 certificate with the commands below. Make sure you are in the /etc/vmware/ssl directory when doing so.
openssl x509 -text -in rui.crt -out rui.text
- Open the file and remove all the text except the information below. In other words – you should see –begin certificate, the information in between, and – end certificate — when you have completed the edit.
—–BEGIN CERTIFICATE—–
18788ylfhdlharelere ……………………………..
—–END CERTIFICATE—– - Rename the rui.crt file back to the servername.crt. and rui.text file back to rui.crt
mv rui.crt servename.crt
mv rui.text rui.crt - You will have to remove the encryption at this point with the following command:
openssl rsa -in rui.key -out rui.key.unencripted
at this point you will be prompted for the root password. - Enter pass phrase for rui.key
- Rename the rui.key to rui.keynew as follows:
mv rui.key rui.keynew
- Rename the rui.key.unencripted file back to rui.key as follows:
mv rui.key.unencripted rui.key
- Restart the following services on the Esx Host Server as follows:
service mgmt-vmware restart
service vmware-vpxa restart
service vmware-webAccess restart - The Virtual Center the server will eventually come up in a “not responding” state and will need to be disconnected then reconnected after this step.To do this:
Right Click on the ESX Host > Select "Disconnect"
Right Click on the ESX Host > Select "Connect"
