Regenerating Self-Signed Certificates For a VMware ESXi Host

Introduction

I run a free VMware ESXi install on my Intel NUC at work. I mainly use this setup to deploy virtual machines for test and demo purposes. A self-signed certificate is by default available on VMware ESXi after installation.

I noticed that the FQDN of my host did not match the CN of the currently installed self-signed certificate (see the red markings on the figure below).

This has been caused by me changing the FQDN in the VMware configuration on the console (DCUI) of the host to vmware.<mycompany>.nl. After this change the CN still listed localhost.localdomain which is the VMware default after installation.

When you create a new CSR from the UI this CSR is created for the FQDN listed in the CN-part (localhost.localdomain ) and not the FQDN I provided earlier.

Regenerating the certificate

The procedure to solve this discrepancy is:

  1. Log in to the ESXi Shell as a user with administrator privileges. I used Putty to setup an SSH connection to my VMware host.
  2. Navigate to the directory /etc/vmware/ssl and rename the existing certificates using the following commands: mv rui.crt orig.rui.crt and mv rui.key orig.rui.key.
  3. Run the command /sbin/generate-certificates to generate new certificates.
  4. Restart the host (make sure all vm’s are stopped) using the SSH command: reboot.

Source: Generate New Self-Signed Certificates for ESXi

After regeneration the FQDN is equal to the CN-part. If you now choose to create a CSR via Import new certificate | Create CSR this will be for the correct FQDN (in my case vmware.{company}.nl).

Leave a Reply

Your email address will not be published. Required fields are marked *