VMware ESXi 6.5 – Replacing the default SSL/TLS certificates

One of my weird hobbies is installing legitimate SSL certificates EVERYWHERE. Here’s steps for replacing the default self-signed garbage SSL certificates you get out of the box with VMware ESXi:

Steps


  1. Get your SSL cert, obviously. You’ll need a .key file and a .crt. (If you need help at this stage, take a look at my SSL cert management scripts on github.)

  2. Enable SSH access to your ESXi box. Login as root over ssh. (If you don’t know about this, perhaps this whole process is not for you at this time)

  3. From your root ssh session to your ESXi box, follow these steps:

    cd /etc/vmware/ssl
    mv rui.crt orig.rui.crt
    mv rui.key orig.rui.key


  4. Use vi to open new rui.key and rui.crt files and paste in your own crt and key files.

  5. Restart services so your certs are in-play:

    /etc/init.d/hostd restart
    /etc/init.d/vpxa restart


Sources


  1. Replacing SSL certs: https://kb.vmware.com/s/article/2112277

  2. Restarting services: https://kb.vmware.com/s/article/1003490

Rant


It’s insane to actually expose your ESXi host to the public internet. So if you use this to do that, know that you confuse (and disgust) me.

If not for public exposure, why bother with proper SSL certs? Well, I like having my crap squared-away. It doesn’t matter to me if the world sees it, or only I. Besides, I get SSL certificates for dirt-cheap and I often have wildcard certs too, so the financial cost to me is between little and nothing and the emotional reward, for my weird persona, is quite vast.



Disclaimer


You’re reading this off my personal blog. So, if you think there’s some kind of warranty, you’re mistaken, there is no promise here. This is my blog, a kind of online journal, meant mostly to self-compensate for my own imperfect memory. Do what you will, even let me know how it goes if you want. But I owe you nothing. Besides, all I’ve really done is make a concise note from from two VMware docs.

Anyway, consider liabilities on my part totally waived and disclaimed. Follow along at your own risk.

Good luck, and have tons of fun!

James T Snell, the only