Skip to main content

ESXi — Install a CA-signed SSL certificate (from SNOW)

One-liner
Install a CA-signed certificate on an ESXi host using the files provided via ServiceNow (SNOW)—no local self-signed generation.


Purpose

Apply a vetted server certificate to an ESXi host to remove browser warnings, meet policy, and keep the trust chain complete.


Prerequisites

  • Files delivered by the CA team (via SNOW):
    • rui.crt — server certificate (PEM/Base64)
    • rui.key — private key (RSA)
    • Root.cer — full CA chain (all intermediates + root) in PEM
  • SSH/SCP to the host (e.g., PuTTY/WinSCP).
  • If the host is managed by vCenter:
    • The host can be placed in Maintenance Mode.
    • vCenter is in Custom Certificate Mode (to prevent VMCA from overwriting the host cert on reconnect).

For vSAN/Horizon environments, follow any product-specific post-steps as required by VMware.


Procedure

  1. Enter Maintenance Mode (if managed by vCenter)
    Put the ESXi host into Maintenance Mode.
    (Standalone host? Skip this step.)

  2. Enable SSH on the host (DCUI)
    F2Troubleshooting OptionsEnable SSH.

  3. Open an SSH session and switch to the SSL folder

    cd /etc/vmware/ssl
   
4. Back up current certificate files

bash
Copy code
cp rui.crt rui.crt.bak
cp rui.key rui.key.bak
Upload new certificate and key (ASCII/Text mode)

rui.crt → /etc/vmware/ssl/rui.crt

rui.key → /etc/vmware/ssl/rui.key
Why ASCII? To avoid stray ^M characters.

Quick check for stray characters:

bash
Copy code
vi /etc/vmware/ssl/rui.crt
# verify no ^M at line ends, then :wq
Back up the trust store

bash
Copy code
cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.bak
Place the full CA chain and append it to the trust store

Upload Root.cer (full chain: intermediates + root) to /etc/vmware/ssl/Root.cer.

bash
Copy code
cat /etc/vmware/ssl/Root.cer >> /etc/vmware/ssl/castore.pem
Restart ESXi management agents (DCUI)
F2 → Troubleshooting Options → Restart Management Agents → confirm with F11.

Exit Maintenance Mode
Bring the host out of maintenance. The host should reconnect cleanly to vCenter.

Verify
Confirm certificate ↔ key match

bash
Copy code
openssl x509 -in /etc/vmware/ssl/rui.crt -noout -modulus | openssl md5
openssl rsa -in /etc/vmware/ssl/rui.key -noout -modulus | openssl md5
# The hashes must be identical.
If you see “Failed to import new SSL certificate”, verify:

The MD5 hashes above match.

Root.cer contains the entire chain (all intermediates + root).

Files are PEM/Base64 and readable; check /var/run/log/hostd.log for details.

Common pitfalls (avoid)
vCenter not in Custom Certificate Mode → VMCA replaces the host cert after reconnect.

Root.cer missing an intermediate → clients report an incomplete trust chain.

Upload in binary mode → stray ^M causes parsing errors; re-upload in ASCII/Text mode.

makefile
Copy code
::contentReference[oaicite:0]{index=0}