VMware ESXi6 – Replacing the Default Certificates

KB ID 0001195 

Problem

This is pretty much part two of the last article I wrote, so make sure you have the vCenter CA setup as a Sub CA of your Microsoft Certificate Services Deployment. See the following article;

vSphere 6 vCenter Appliance – Replacing Certificates

Now we take the next step, and replace the certificates on the ESXi hosts.

Solution

Note: Joining the ESXi Hosts to the domain is not essential, it just makes things a little smoother. Ensure the host is set with the correct hostname and DNS settings.

ESXi6 Domain and DNS Details

Join the host to your domain.

vCenter 6.5

ESX 6.5 Join Domain

vCenter 6.0

ESXi Join Domain

Supply the domain name and suitable credentials.

ESXi Join AD Domain

Set the domain members to trust the vCenter CA Certificate. Back in part one we issued a SUB CA cert to the vCenter. Now I’m going to get a copy of this certificate, and get all my domain members to trust it, (and by definition all the certificates it issues). Browse to the vCenter https address > And open the certificate properties (click the padlock)  > Certificate path > CA  > View Certificate > Install Certificate.

VMCA Sub CA Certificate

Local machine.

Export CA Certificate

I’m going to put it in Intermediate Certificate Authorities.

Intermediate CA Certificate

Then open an MMC console, and add in the certificate snap-in for Local Computer > Intermediate Certification Authorities > Certificates > Locate the ‘CA’ Certificate.

View Intermediate CA Certificate

Export the certificate.

Export Intermediate CA Certificate

DER encoded is fine.

Intermediate CA Certificate settings

Save it on the root off the C: drive with a sensible name.

Save CA Certificate

Open an administrative command window, and issue the following commands;

certutil -dspublish -f C:\{certificate-name}.cer RootCA
certutil –addstore –f root C:\{certificate-name}.cer

Note: You can use SubCA instead of RootCA.

Add Certificate to Domain Trusted

Now you will see the domain members start to get the CA certificate, (either in Intermediate or Root, depending on the command you issued above).

Certificate Auto Added to Domain Members

Meanwhile back in vCenter Web Client > Right click each host > Certificates > Refresh CA Certificates > Then Refresh Certificate.

ESX Refresh CA Certificate

WARNING: You may see the error below; if you do, it’s a bug don’t panic, there is a fix published on VMware Support. But if you wait 24 hours and attempt to renew the certificates it will work without an error.

Certificate Time Error

A general system error occurred: Unable to get signed certificate for host: esx-host.your-domain.pri. Error: Start Time Error (70034).

You should see something like this;

ESXi View Certificates

If you browse to each ESXi host on https it should connect without errors or warnings.

ESXi Replace Certificates

Related Articles, References, Credits, or External Links

Original Article Written 26/05/16

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *