ESXi — Install a CA-signed SSL certificate (from SNOW)
One-liner
Install a CA-signed certificate on an ESXi host using the files provided via ServiceNow (SNOW)—no local self-signed generation.
Purpose
Apply a vetted server certificate to an ESXi host to remove browser warnings, meet policy, and keep the trust chain complete.
Prerequisites
- Files delivered by the CA team (via SNOW):
rui.crt— server certificate (PEM/Base64)rui.key— private key (RSA)Root.cer— full CA chain (all intermediates + root) in PEM
- SSH/SCP to the host (e.g., PuTTY/WinSCP).
- If the host is managed by vCenter:
- The host can be placed in Maintenance Mode.
- vCenter is in Custom Certificate Mode (to prevent VMCA from overwriting the host cert on reconnect).
For vSAN/Horizon environments, follow any product-specific post-steps as required by VMware.
Procedure
-
Enter Maintenance Mode (if managed by vCenter)
Put the ESXi host into Maintenance Mode.
(Standalone host? Skip this step.) -
Enable SSH on the host (DCUI)
F2→ Troubleshooting Options → Enable SSH. -
Open an SSH session and switch to the SSL folder
cd /etc/vmware/ssl
4. Back up current certificate files
bash
Copy code
cp rui.crt rui.crt.bak
cp rui.key rui.key.bak
Upload new certificate and key (ASCII/Text mode)
rui.crt → /etc/vmware/ssl/rui.crt
rui.key → /etc/vmware/ssl/rui.key
Why ASCII? To avoid stray ^M characters.
Quick check for stray characters:
bash
Copy code
vi /etc/vmware/ssl/rui.crt
# verify no ^M at line ends, then :wq
Back up the trust store
bash
Copy code
cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.bak
Place the full CA chain and append it to the trust store
Upload Root.cer (full chain: intermediates + root) to /etc/vmware/ssl/Root.cer.
bash
Copy code
cat /etc/vmware/ssl/Root.cer >> /etc/vmware/ssl/castore.pem
Restart ESXi management agents (DCUI)
F2 → Troubleshooting Options → Restart Management Agents → confirm with F11.
Exit Maintenance Mode
Bring the host out of maintenance. The host should reconnect cleanly to vCenter.
Verify
Confirm certificate ↔ key match
bash
Copy code
openssl x509 -in /etc/vmware/ssl/rui.crt -noout -modulus | openssl md5
openssl rsa -in /etc/vmware/ssl/rui.key -noout -modulus | openssl md5
# The hashes must be identical.
If you see “Failed to import new SSL certificate”, verify:
The MD5 hashes above match.
Root.cer contains the entire chain (all intermediates + root).
Files are PEM/Base64 and readable; check /var/run/log/hostd.log for details.
Common pitfalls (avoid)
vCenter not in Custom Certificate Mode → VMCA replaces the host cert after reconnect.
Root.cer missing an intermediate → clients report an incomplete trust chain.
Upload in binary mode → stray ^M causes parsing errors; re-upload in ASCII/Text mode.
makefile
Copy code
::contentReference[oaicite:0]{index=0}