VMware ESXi6 – Replacing the Default Certificates

KB ID 0001195 

Problem

This is pretty much part two of the last article I wrote, so make sure you have the vCenter CA setup as a Sub CA of your Microsoft Certificate Services Deployment. See the following article;

vSphere 6 vCenter Appliance – Replacing Certificates

Now we take the next step, and replace the certificates on the ESXi hosts.

Solution

Note: Joining the ESXi Hosts to the domain is not essential, it just makes things a little smoother. Ensure the host is set with the correct hostname and DNS settings.

Join the host to your domain.

vCenter 6.5

vCenter 6.0

Supply the domain name and suitable credentials.

Set the domain members to trust the vCenter CA Certificate. Back in part one we issued a SUB CA cert to the vCenter. Now I’m going to get a copy of this certificate, and get all my domain members to trust it, (and by definition all the certificates it issues). Browse to the vCenter https address > And open the certificate properties (click the padlock)  > Certificate path > CA  > View Certificate > Install Certificate.

Local machine.

I’m going to put it in Intermediate Certificate Authorities.

Then open an MMC console, and add in the certificate snap-in for Local Computer > Intermediate Certification Authorities > Certificates > Locate the ‘CA’ Certificate.

Export the certificate.

DER encoded is fine.

Save it on the root off the C: drive with a sensible name.

Open an administrative command window, and issue the following commands;

[box]

certutil -dspublish -f C:\{certificate-name}.cer RootCA
certutil –addstore –f root C:\{certificate-name}.cer

[/box]

Note: You can use SubCA instead of RootCA.

Now you will see the domain members start to get the CA certificate, (either in Intermediate or Root, depending on the command you issued above).

Meanwhile back in vCenter Web Client > Right click each host > Certificates > Refresh CA Certificates > Then Refresh Certificate.

WARNING: You may see the error below; if you do, it’s a bug don’t panic, there is a fix published on VMware Support. But if you wait 24 hours and attempt to renew the certificates it will work without an error.

A general system error occurred: Unable to get signed certificate for host: esx-host.your-domain.pri. Error: Start Time Error (70034).

You should see something like this;

If you browse to each ESXi host on https it should connect without errors or warnings.

Related Articles, References, Credits, or External Links

Original Article Written 26/05/16

Leave a Reply

Your email address will not be published. Required fields are marked *