Commercial SSL Certificate Deployment on vSphere Host 6.7

By default vSphere uses an SSL certificate from VMware Certificate Authority (VMCA). If accessed through a browser, the https access will be considered untrusted.

Untrusted SSL Certificate

If you have the trusted SSL certificate (commercial) for your domain name, you can install it to replace the default SSL provided by VMCA. Following is the process to install the SSL certificate commercial on vSphere host:

  • Prepare an SSL Certificate file, (generally with the .crt extension) and key file (generally with the .key extension). The recommendation is to use an SSL Certificate wildcard type (*. domain-name) to be able to accommodate various host names and records
  • Copy the above two certificate files into the /etc/vmware/ssl folder on the desired host. The copying process can use the WinSCP application on the Windows operating system or can also use the scp command on a Linux or Mac operating system. Example of the scp command: scp commercial.key commercial.crt root@esxi1.excellent.co.id: /etc/vmware/ssl/
  • Use SSH access to the server and navigate to /etc/vmware/ssl folder
  • Rename the rui.crt and rui.key files as a backup, for example being original.rui.crt and original.rui.key, with the command: mv rui.crt original.rui.crt
  • Rename the commercial certificate file to the rui.crt and rui.key files
  • Restart vSphere host so that the SSL certificate works properly as it should
  • Access web client via the browser by opening the vSphere host address, for example https://esxi2.excellent.co.id

In addition to using the host restart method, another alternative is to run the host in Maintenance Mode, install an SSL and then use DCUI to restart management agents and after that restore the host’s condition to exit the maintenance mode.

Alternatively, after renaming the rui.crt file and the rui.key file, run the following command on the vSphere SSH console:

service.sh restarted
  • Generally SSL refers to the hostname, so after the SSL certificate is applied, access the host using name records (for example https://esxi1.excellent.co.id), don’t use IP because if you use IP, the access status will remain untrusted
  • If you don’t have an SSL certificate, Excellent provides SSL Certificate services of various types (Single, Multi Domain UCC and Wildcard) and from various brands (Comodo, GeoTrust, Symantec, Digicert and others). Please refer to the SSL page for more details. Unlike other providers who sometimes only provide SSL certificates without support services, Excellent provides support for the process of generating Certificate Signing Request (CSR), implementing SSL or Revoke/Replacement SSL.

Leave a Reply

Your email address will not be published. Required fields are marked *