Adding Chain Certificate to ESXi

I run a single, free-license ESXi server at home for various virtual machines. After recently deploying a new home PKI system (using off-line root and subordinate issuing CAs) I had difficulty getting the VMware Host Client (web GUI) to present the chain certificate to the client. Apparently the ESX host client does not accept the issuing certificate part of the chain and just presents the server certificate. However it can be accomplished with a little extra work.

If you’re familiar with how to generate a CSR and import a certificate in ESX host client, skip to the section “Import the Chain Certificate”.

Generate a CSR

To generate a CSR in the host client, naviate to Host > Manage > Security & Users > Certificates. Click Import New Certificate and choose to generate either FQDN or IP-based CSR. The CSR will be displayed. use this CSR to get a signed certificate from your issuing CA.

Import the Certificate

You could probably skip this section and go directly to Import the Chain Certificate to import everything at once, but I was uncertain if the system would freak if a certificate was not imported via the GUI. Return back to the Import New Certificate screen and pasted the certificate you received from the issuing CA. You can choose to paste just the server certificate or the chain. It will ignore the chain portion.

Import the Chain Certificate

This requires logging into ESX via SSH. Enable the SSH console via Host > Actions > Services > Enable Secure Shell. From a terminal ssh into the ESX host and navigate to /etc/vmware/ssl. Use vi to open the rui.crt file for editing. Paste the issuing CA certificate at the bottom of the file, after “—–END CERTIFICATE—–“.

Restart Services

While still in the ESX host with ssh, restart some management services:

/etc/init.d/hostd
/etc/init.d/vpxa

You can exit the ssh session and disable ssh on the host at this time.

Close out any open browser tabs to this host, clear cache, and test access to the host client (ensure your browser lists the issuing CAs root as a trusted certificate). You should now have the chain certificate and the certificate should show as trusted.

 

Hat Tip to VMware KB article 2006124 for the location of the certificate file.

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: