Replace Certificate2023/02/22

Replace the auto generated certificate when ESXi installed to the one you got by yourself like from Let's Encrypt.

In this example, we will replace it with the certificate obtained with Let's Encrypt.

Be careful when using Let's Encrypt certificates.
The default key type for Let's Encrypt is currently [ECDSA], but ESXi does not support [ECDSA] server certificates, so when obtaining a certificate using the [certbot] command from Let's Encrypt, you need to add the [--key-type rsa] option to the command to obtain [RSA] certificate.

[1]

Replace certificate.

# certificate you got by yourself

[root@ctrl:~]

ll /tmp/*.pem

-rw-r--r--    1 root     root          5591 Feb 22 02:14 /tmp/fullchain.pem
-rw-------    1 root     root          1704 Feb 22 02:14 /tmp/privkey.pem

# switch system to the maintenance mode

[root@ctrl:~]

esxcli system maintenanceMode set --enable true

[root@ctrl:~]

esxcli system maintenanceMode get

Enabled

# replace certificate

[root@ctrl:/tmp]

cd /etc/vmware/ssl

[root@ctrl:/etc/vmware/ssl]

cp -p rui.crt rui.crt.orig

[root@ctrl:/etc/vmware/ssl]

cp -p rui.key rui.key.orig

[root@ctrl:/etc/vmware/ssl]

cp /tmp/fullchain.pem ./rui.crt

[root@ctrl:/etc/vmware/ssl]

cp /tmp/privkey.pem ./rui.key

# restart system

[root@ctrl:/etc/vmware/ssl]

esxcli system shutdown reboot --reason "Replacing Certificate"

# after restarting, unset maintenance mode

[root@ctrl:~]

esxcli system maintenanceMode set --enable false

[root@ctrl:~]

esxcli system maintenanceMode get

Disabled

[2]	Make sure the certificate warnings are not shown on VMware Host Client. (only for the case your certificate is valid one)

Matched Content