January 2011

There was one post published in January 2011.

SSL Certificates and ESXi

Security is an important factor within your vSphere Infrastructure. This is why all traffic between the vCenter server and the ESXi hosts is encrypted using Transport Layer Security (TLS). ESXi support TLS by the use of SSL version 3 or TLS version 1 type certificates, generally referred to as SSL certificates. For more information on data encryption see Transport Layer Security on Wikipedia.

The use of SSL certificates within ESXi

SSL certificates are used within vSphere by default. Both vCenter and ESXi create their own SSL certificates during the installation process.During the creation a certificate and a private key are generated and are stored in the following location :

  • SSL certificate => /etc/vmware/ssl/rui.crt
  • SSL private key => /etc/vmware/ssl/rui.key

Both these keys are used to encrypt the data communication between the ESXi host and the vCenter client. And between the ESXi host and the vSphere client. This can be noticed when connect to either the vCenter server or ESXi host with a vSphere client. A warning message is then shown that the certificated used by the vCenter server or ESXi host could not be verified. Simply ignoring this will notice or installing the certificate on your local host will resolve this warning message.

To summarize : ESXi by default uses data communication encryption with self-generated SSL certificates.

Replacing the default SSL certificates ESXi

The ESXi default certificates that are created during the installation process are unique. However these certificates aren’t verifiable and aren’t checked against a central certificate authority (CA) that is known and trusted within the IT infrastructure.

Some companies require the use of a company CA server to validate the SSL certificates. Most commonly used is the Microsoft Active Directory Certificates server that validated certificates in a Public Key Infrastructure (PKI). You will need to generate your new SSL certificates for ESXi that are signed by the CA. After generating the new certificate and private key for the ESXi host(s) that have been signed by the CA the files need to be uploaded to your ESXi host.

The ESXi Configuration Guide presents you with two ways to upload the files to your ESXi host :

Via the vSphere CLI :

vifs –server <hostname> –username <username> –put rui.crt /host/ssl_cert
vifs –server <hostname> –username <username> –put rui.key /host/ssl_key

Upload your files via the HTTPS PUT command to the following sites :

For SSL certificates : https://<hostname>/host/ssl_crt
For keys : https://<hostname>/host/ssl_key

The last can be achieved by using a program that is able to execute a HTTPS PUT command.

Powershell

To be able to upload the certificate and private key file I’ve created a script that is able to upload the SSL certificate and private key using the HTTPS PUT command and Powershell. The script can be downloaded via VMware DOC 14655.