Replace Certificate2023/12/26

Replace the auto generated certificate when ESXi installed to the one you got by yourself like from Let's Encrypt.

[1]

Transfer the certificate you obtained to the ESXi host.
In this example, we will replace it with the certificate obtained with Let's Encrypt.

Be careful when using Let's Encrypt certificates.
The default key type for Let's Encrypt is currently [ECDSA], but ESXi does not support [ECDSA] server certificates, so when obtaining a certificate using the [certbot] command from Let's Encrypt, you need to add the [--key-type rsa] option to the command to obtain [RSA] certificate.

[2]

Replace certificate.

# certificate you got by yourself

[root@ctrl:~]

ll /tmp/*.pem

-rw-r--r--    1 root     root          5510 Dec 26 00:59 /tmp/fullchain.pem
-rw-------    1 root     root          1704 Dec 26 00:59 /tmp/privkey.pem

# switch system to the maintenance mode

[root@ctrl:~]

esxcli system maintenanceMode set --enable true

[root@ctrl:~]

esxcli system maintenanceMode get

Enabled

# replace certificate

[root@ctrl:/tmp]

cd /etc/vmware/ssl

[root@ctrl:/etc/vmware/ssl]

cp -p rui.crt rui.crt.orig

[root@ctrl:/etc/vmware/ssl]

cp -p rui.key rui.key.orig

[root@ctrl:/etc/vmware/ssl]

cp /tmp/fullchain.pem ./rui.crt

[root@ctrl:/etc/vmware/ssl]

cp /tmp/privkey.pem ./rui.key

# restart system

[root@ctrl:/etc/vmware/ssl]

esxcli system shutdown reboot --reason "Replacing Certificate"

# after restarting, unset maintenance mode

[root@ctrl:~]

esxcli system maintenanceMode set --enable false

[root@ctrl:~]

esxcli system maintenanceMode get

Disabled

# * you can re-generate auto-generated certificate like follows

[root@ctrl:~]

/sbin/generate-certificates

[3]	Make sure the certificate warnings are not shown on VMware Host Client. (only for the case your certificate is valid one)

Matched Content