Prerequisites:
- Obtain the certificate(s) and key(s) (how to)
- Have SFTP software (WinSCP, Filezilla) OR be fluent with SCP in Linux
- Have ROOT access for the host(s) and SSH capabilities
Step 1: Enable SSH on the Host(s)
From the DUCI:
System Customization >> Troubleshooting Options >> Enable SSH
From the ESXi Web Manager:
- Click Manage
- Click Services
- Select TSM-SSH
- Click Start
From vSphere:
- Select the Host
- Select Configure
- Select Services
- Click SSH
- Click START
SECURITY NOTE: Remember to disable SSH after updating the certificates
Step 2: Upload Certificate and Key to the Host
Transfer the Cert and Key files to the /etc/vmware/ssl folder on the host
Step 3: Rename the Cert and Key files
Make the following name changes either by SSH terminal or with the SFTP GUI
Note: I suggest using an SSH Terminal for renaming since it will be easier to restart the services after.
- Rename rui.key and rui.crt to rui.key.old and rui.crt.old
- Rename new_host_cert.crt and new_host_key.key to rui.crt and rui.key
Terminal SSH commands:
[root@ESX-01:~] cd /etc/vmware/ssl [root@ESX-01:/etc/vmware/ssl] mv rui.crt rui.crt.old [root@ESX-01:/etc/vmware/ssl] mv rui.key rui.key.old [root@ESX-01:/etc/vmware/ssl] mv new_host_cert.crt rui.crt [root@ESX-01:/etc/vmware/ssl] mv new_host_key.key rui.key
Step 4: Edit the CASTORE.PEM file
The CASTORE.PEM file in the /etc/vmware/ssl holds the root and intermediate root certificates (all in one file).
- Copy the castore.pem file to your local machine
- Using a text editor append the castore.pem file with ALL the root and intermediates in the certificate chain of your host cert.
- Replace the old castore.pem file with the updated castore.pem file on the host.
NOTE: Reuse the same castore.pem file for all hosts using the same root and intermediates.
Step 5: Restart ESXi Services
From an SSH Terminal run the following on the host:
services.sh restart
Step 6: Disable SSH (Optional – Suggested)
