Home vExpert VMware vSphere ESXi 8.0 Certificate Replacement via SSH

VMware vSphere ESXi 8.0 Certificate Replacement via SSH

by Roger Lund
Graphical user interface, text, application, email Description automatically generated

Today, I had an Interesting one. As this was a new install of VMware vSphere ESXi 8.0, or at least within a few days. And low and behold, it has a expired Certificate!? This is a technical write up, with the steps I performed to fix it in my own lab.

When I logged into the Host I Saw the following.

Graphical user interface, text, application, email

Description automatically generated

That isn’t good, lets go fix it.

Step 1. Google.

I found this write up by Jesus Vigo in Security

How to regenerate certificates on VMware host servers

https://www.techrepublic.com/article/how-to-regenerate-certificates-on-vmware-host-servers/

“By default, VMware host servers, like ESXi hosts typically generate new certificates when the hypervisor is installed on bare-metal hardware. Through the process of configuring the host and allocating resources, it is common for the server configuration to undergo many settings changes as you harden your device.

Must-read security coverage

Among the hardening steps your organization may employ, joining an Active Directory (AD) domain helps administrators to simplify management of underlying hypervisor used to host virtual machines (VM) by centralizing the management of user accounts and groups allowed to access to the server, as well as what changes they are authorized to make.

SEE: Information security policy template download (Tech Pro Research)

However, while the process to join the server to AD may be straightforward, it can and certainly will consistently fail if the SSL certificates used by the VMware host are expired, invalid, or otherwise corrupted. These all pose a difficulty in getting the server to authenticate domain accounts, which will leave users unable to maintain the server until it is resolved. But how can you fix this once it’s happened? Or worse yet, if you’ve never been able to join it to the domain in the first place?

Ok, lets get to it!

First lets enable SSH, Go to Manage , Services.

Graphical user interface, text, application

Description automatically generated

Select TSM-SSH, Name SSH and Click start

Graphical user interface, text, application

Description automatically generated

next, lets login via ssh. I used Putty.

Text

Description automatically generated

Lets move to the dir that has the SSL keys to back up the keys. Per the above write up.

cd /etc/vmware/ssl

Then run the following.

mv rui.crt rui.crt.bak mv rui.key rui.key.bak

But I got the following error.

Text

Description automatically generated

So we are going to move on.

Next type /sbin/generate-certificates

Then /etc/init.d/hostd restart

Text

Description automatically generated

Looks like that worked, lets see!

Log back into the VMware Host via the web interface.

Ta da!

Graphical user interface, text, application, email

Description automatically generated

Make sure to disable SSH, or reboot to do so.

Thanks for reading

Roger L

You may also like