The ESXi server uses self-signed ssl certificates by default. As you know, this isn’t really what I prefer, especially since I am working with CAcert certificates. But sadly there is no nice GUI solution for replacing those certs and so I was forced to take a dive into the console world of vmware once again, looking for the certificates currently in use.
At first you need to enable ssh access to the box as it could be a little boring to transfer files to the host system without scp. For enabling SSH you can either use the vSphere Client or use the settings screen at the server. Now the certificates used are located in /etc/vmware/ssl – we are talking about two files: rui.key and rui.crt. The latter one is the certificate whereas the first one is the private key.
As we know now what to replace, we can start doing the CSR, the Certificate Signing Request which can be done via plain OpenSSL. I did use the CSR script offered by CAcert, as I am getting lazy over time doing that procedure over and over again. The CSR gives a private key which we need to save as rui.key. Next step is passing on the CSR to the CA (Certificate Authority), in my case CAcert. If you are using a different CA, the procedure is the same – they need to sign your certificate. The result needs to be saved as rui.crt
As there are not many tools on the ESXi host, I did copy the certificate files to the ESXi server using SCP and rebooted the machine to make use of them. I know, the clean solution would be restarting the services, but in that case, a reboot makes things easier. Now if you messed up the certificates, you’ll notice that by being unable to log into the ESXi server using vSphere. But that’s not a real problem as vmware provides a handy shell script to generate new (self signed) certificates: