After you generate signed certificates for the ESXi hosts by using the CertGenVVD utility and configure vCenter Server to accept custom certificate authorities, replace the present certificates with the custom ones on the hosts. You replace host certificates if they are about to expire, are VMCA-signed or are compromised.

About this task

You replace the certificate separately on each hosts in the consolidated cluster.

Table 1. Certificate Files Names for the ESXi hosts

ESXi Hosts

Certificate File Names

sfo01w01esx01.sfo01.rainpole.local

  • sfo01w01esx01.key

  • sfo01w01esx01.1.cer

sfo01w01esx02.sfo01.rainpole.local

  • sfo01w01esx02.key

  • sfo01w01esx02.1.cer

sfo01w01esx03.sfo01.rainpole.local

  • sfo01w01esx03.key

  • sfo01w01esx03.1.cer

sfo01w01esx04.sfo01.rainpole.local

  • sfo01w01esx04.key

  • sfo01w01esx04.1.cer

Procedure

  1. Log in to vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://sfo01w01vc01.sfo01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

  2. Disable lockdown mode on the sfo01w01esx01.sfo01.rainpole.local host.
    1. From the Home menu of the vSphere Web Client, select Hosts and Clusters.
    2. In the Navigator, expand the sfo01w01vc01 > sfo01-w01dc > sfo01-w01-consolidated01 tree, select the sfo01w01esx01.sfo01.rainpole.local host object, and click the Configure tab on the right.
    3. Under System, click Security Profile, scroll down to Lockdown Mode, and click Edit.
    4. In the Lockdown Mode dialog box, select Disabled and click OK.
    5. Scroll up to the Services pane and click Edit.
    6. In Edit Security Profile dialog box, select SSH
    7. Click on Start button if the status is not showing up as Running
    8. Click on OK to close the Edit Security Profile Pop up Window.
  3. Place the host in maintenance mode.
    1. Right-click the sfo01w01esx01.sfo01.rainpole.local host object and select Maintenance Mode > Enter Maintenance Mode.
    2. In the Confirm Maintenance Mode dialog box, select Move powered-off and suspended virtual machines to other hosts in the cluster and click OK.
  4. Replace the certificate files on the host.
    1. After the maintenance task is complete, open an SSH connection to the sfo01w01esx01.sfo01.rainpole.local host using the following credentials.

      Option

      Description

      User name

      root

      Password

      esxi_root_user_password

    2. Copy the sfo01w01esx01.key and sfo01w01esx01.1.cer files from the Windows host where you run the CertGenVVD tool to the /etc/vmware/ssl directory on the host.
    3. Run the following commands to back up the present certificate and key files and to replace them with the generated files.
      cd /etc/vmware/ssl
      cat rui.crt >> rui.bak
      cat rui.key >> rui.bak
      mv sfo01w01esx01.key rui.key
      mv sfo01w01esx01.1.cer rui.crt
  5. Restart the management agents on the host.
    1. Run the dcui command to open the Direct Console User Interface (DCUI).
    2. Press the F12 key to access the System Customization menu.
    3. Select Troubleshooting Options and press Enter.
    4. Select Restart Management Agents and press Enter.
    5. Press F11 key to confirm the restart and press Enter to confirm completion.
    6. Press Control-C to close dcui application.
    7. Run the following commands to restart the vsanvpd and vsanmgmtd services
      /etc/init.d/vsanvpd restart
      /etc/init.d/vsanmgmtd restart
  6. Verify that the custom certificate is installed.
    1. Open a Web browser and go to https://sfo01w01esx01.sfo01.rainpole.local.
    2. Verify that the certificate returned by the host is signed by Rainpole instead of by VMware.
  7. Exit maintenance mode of the host.
    1. Open a Web browser and go to https://sfo01w01vc01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vshpere_admin_password

    3. From the Home menu, select Hosts and Clusters.
    4. Under the sfo01-w01dc data center, right-click the sfo01w01esx01.sfo01.rainpole.local host object and select Maintenance Mode > Exit Maintenance Mode.
    5. Make sure that no warning message about an untrusted sfo01w01esx01.sfo01.rainpole.local certificate appears.
  8. Reconnect the ESXi host to vCenter Server to update the host certificate on vCenter Server.
    1. Expand the sfo01w01vc01 > sfo01-w01dc > sfo01-w01-consolidated01 tree, right-click the sfo01w01esx01.sfo01.rainpole.local host object and select Connection > Disconnect.
    2. Click Yes in the Confirm Disconnect popup window.
    3. Wait until the host is disconnected.
    4. Right-click the sfo01w01esx01.sfo01.rainpole.local host object and select Connection > Connect.
    5. In the Navigator, under Hosts and Cluster, select sfo01w01esx01.sfo01.rainpole.local, and click the Configure tab.
    6. Under System, select Certificates and verify that the certificate displayed for the host is the new one.
  9. Verify that the storage providers are online for the ESXi host.
    1. In the Navigator, select the sfo01w01vc01.sfo01.rainpole.local vCenter Server object and click the Configure tab.
    2. Under More, select Storage Providers.
    3. Verify that the status for the http://sfo01w01esx01.sfo01.rainpole.local:8080/version.xml URL of the vSAN storage provider is Online.
    4. If the status of the URL is different from Online, select the URL, click the Unregister the selected storage provider icon, and click Synchronizes all the storage providers with the current states of the environment icon.
  10. Repeat the procedure for the rest of the ESXi hosts in the consolidated cluster.