ESXi Host SSL Certificate Trust

Introduction

I run my lab nested in VMware Workstation but I do have a physical standalone ESXi host (a Lenovo ThinkCenter M700 Tiny) which I use for quick testing VMs, PowerCLI, Packer, etc. It’s a minor annoyance to click through the SSL Certificate prompt:

SSL Certificate

Then when you get through to the login screen the certificate is not trusted:

SSL Cert

This post will show you how to trust that certificate in the browser to make connections to the host that little bit more seamless.

Enable SSH on the Host

First you will need to enable SSH on the host to regenerate the certificate then download it later on. Log into your host and go to Manage….Services…TSM-SSH then click Start (or ensure service is running):

SSH

SSH

Regenerate Certificate

While we are dealing with certificates you may as well generate a fresh certificate. SSH in to the host and run the following commands:

[root@esxi2:~] cd /etc/vmware/ssl
[root@esxi2:/etc/vmware/ssl] /sbin/generate-certificates

then reboot the host (so pick your maintenance window):

[root@esxi2:/etc/vmware/ssl] reboot

We now have a fresh certificate, but it is still not trusted by your computer or browser.

Import the Certificate

Next up it to get the correct file from the host. Use a package such as WinSCP to copy the file off the host to your computer. The file you need to grab is /etc/vmware/ssl/castore.pem. Next on your workstation open an MMC console and add the Certiciates snap-in. Make sure when adding the snap-in select Computer Account:

MMC

Expand out Certificates...Trusted Root Certification Authorities...Certificates then right click on Certificates and select All Tasks...Import

MMC

Click Next then in the File to Import screen browse to the downloaded castore.pem file you downloaded earlier. You will have to change the file type drop down to All Files (*.*):

MMC

After clicking Next in the Certificate Store screen ensure the Trusted Root Certification Authorities is selected:

MMC

Complete the wizard. Let’s check the Host UI now:

SSL Trust

Wrap Up

When running a homelab a full on Certificate Authority is not really necessary. Trusting the certificates just makes day to day access easier.

Categories:

Updated: