How to Install a Free Public CA Certificate on a VMware ESXi Host

Introduction

I run a free VMware ESXi install on my Intel NUC at work. I mainly use this setup to run virtual machines for test and demo purposes. Up until now I used non-encrypted connections to the ESXi management console but I decided to use encrypted remote connections. Although a self signed certificate is by default available on the VMware ESXi install I wanted to use and install a new certificate that is signed by a valid public certificate authority.

Since this is just a test environment I wanted the certificate to be free and preferably using the power of Let’s Encrypt to add and automatically renew the certificate. AFAIK however, VMware ESXi does not support automated installation and renewal of Let’s Encrypt certificates yet.

Therefore I had to look into alternatives which would mean that I probably had to install and renew the certificate manually myself. First of all I did an inventory ont which sites provide free SSL certificates nowadays. I used to use StartSSL but they messed up I guess and are now gone.

I collected these sites:

These sites use Let’s Encrypt in the background but let you obtain a certificate manually. These certificates have a validity of 90 days after which you have to renew manually.

I decided to use certificate provider SSLforFree. Mainly because SSLforFree provides an option to let you prove your DNS domain ownership by validating a specific TXT-record with a prescribed value.

Requesting a certificate

Navigate to SSLforFree and provide your preferred FQDN of the web site. Click on Create Free SSL Certificate.

Figure 1

NOTE
You can provide additional domain names in the text field of Figure 1. These will be added as Subject Alternate Names (SANs) in the certificate. For example: https://blog.domain.nl host1.domain.nl *.domain.nl.


After this you are provided with a selection of options to let you prove you own the domain you want to apply a certificate for. I choose Manual Verification (DNS).

Figure 2

When you click on Manually Verify Domain you are presented with a value. You must add this value to a DNS TXT-record called _acme-challenge.vmware.{company}.nl.

Create two DNS records at your DNS provider:

  • vmware.{company}.nl pointing to where (via an A- or CNAME-record) the VMware host is reachable.
  • TXT-record _acme-challenge.vmware.{company}.nl with the value presented by SSLforFree.

Note: my DNS Provider automatically appends the domain name when I create a DNS record so I only have to put in the first part of the FQDN when creating the records.

Figure 3

SSLforFree advises to set the TTL of the records to one second so that validation can take place quickly. However, my DNS Provider does not provide the option to adjust the TTL at all. Furthermore, in the management console of my DNS Provider I can not even see what the value of the TTL is. However, the TTL is quite easy to find out. See my blog post How to Use Nslookup to Find the TTL and Value of a TXT Record on how to do this.

I found out that the TTL for my DNS records is one hour. I had to wait this time before I could be sure SSLforFree was able to ‘see’ my new DNS record.

SSLforFree provides a link which verifies the existence and show the value of the newly created TXT-record. As long as SSLforFree does not see your TXT-record the following message is shown when clicking the link.

Figure 4

When the TXT-record is found by SSLforFree a message like this is shown displaying the value of the TXT-record.

Figure 5

NOTE
To get some insight whether DNS replication is proceeding at all, use web site digwebinterface.com.


When the TXT-record has been verified you can proceed with the next step: the creation of the certificate. For the creation of the certificate you have two options:

  • Download the SSL certificate which essentially let’s SSLforFree create the public and private key for you.

Although the latter option is the more secure one I had trouble going that route because for some reason my TXT-record could not get verified. This could be due to some temporary flaw (or the fact that I had to wait the TTL period of one hour) but after a few attempts I gave up and decided to use the option to download the certificates for my test VMware environment.

Installing the certificate

The download provides you with three files:

  • Private.key. As the name implies this is the private key of the
    assymetric key pair. Never share this key for any other reason than importing it at the host you want to enable SSL on.
  • Certificate.crt. This is the CA-signed public key,
  • Ca_bundle.crt. This is the complete certificate chain to enable entities to verify the validity of your certificate.

Now I have the certificates mentioned above as files on my Windows workstation. I installed the certificate on my VMware host via SSH (using Putty) and SCP (using WinSCP).

Let me show you how:

  1. Log in to the ESXi Shell as a user with administrator privileges. I again used an SSH connection via PUTTY to remotely log in.
  2. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands: mv rui.crt orig.rui.crt and mv rui.key orig.rui.key.
  3. Start WinSCP and copy the new certificate certificate.crt and key private.key from the local Windows file system to /etc/vmware/ssl on the VMware host.
  4. Rename the new certificate and key to rui.crt and rui.key. This also can be done via WinSCP.
  5. Restart the host after you install the new certificate.

The figure below (Figure 6) shows the newly imported certificate as seen in VMware.

Figure 6: Newly imported certificate in VMware

NOTE
For various handy tools such as decoding CSRs, see web site SSLShopper.

See this helpful video on how to protect your Azure sites with https.


One Reply to “How to Install a Free Public CA Certificate on a VMware ESXi Host”

Leave a Reply

Your email address will not be published. Required fields are marked *