Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Managing ESXi SSL certificate properties from vCenter server

One of the way to manage esxi certificate properties is using vCenter server, This is good option where you don't have generate a certificate for every indivisual Esxi. You just need to configure valid SSL certificate once on the vCenter VMCA. Improving Esxi security by using vCenter server can ensure that all the esxi servers are compliant on SSL certificate configuration. To configure the settings, login to vsphere client, go to vCenter server >> Configure >> Advanced Settings >> EDIT SETTINGS

Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
Managing ESXi SSL certificate properties from vCenter server

vmware vsphere vcenter client advanced vcenter server settings advanced settings edit settings Authentication Proxy vCenter HA Config.drs.kvstore.local config.log.level certmgmt.png

This opens Edit Advanced vCenter Server Settings box, On the name header click on filter icon and search for certmgmt. Replace the settings as per your organization. There are multiple settings, scroll them also go to another page. Below table is to understand certificate related settings with their description. 

NameSummary
vpxd.certmgmt.certs.cn.countryThe Country Name to be included as part of the ESXi host's certificate
vpxd.certmgmt.certs.cn.emailThe e-mail address to be included as part of the ESXi host's certificate
vpxd.certmgmt.certs.cn.localityNameThe Locality Name, e.g. city name, to be included as part of the ESXi host's certificate
vpxd.certmgmt.certs.cn.organizationalUnitNameThe Organizational Unit Name to be included as part of the ESXi host's certificate
vpxd.certmgmt.certs.cn.organizationNameThe Organization Name to be included as part of the ESXi host's certificate
vpxd.certmgmt.certs.cn.stateThe State Name or Province Name to be included as part of the ESXi host's certificate
vpxd.certmgmt.certs.daysValidThe ESXi host's certificate validity period in days.
vpxd.certmgmt.certs.hardThresholdThe ESXi host's certificate management hard threshold, in days. When this threshold is reached, the vCenter Server system displays red alarms about the impending certificate expiration.
vpxd.certmgmt.certs.minutesBefore 
vpxd.certmgmt.certs.pollIntervalDaysThe interval (in days) between ESXi host certificate validity checks by the vCenter Server system
vpxd.certmgmt.certs.softThresholdThe ESXi host's certificate management soft threshold, in days. When this threshold is reached, the vCenter Server system displays information about the impending certificate expiration.
vpxd.certmgmt.modeThe ESXi host's certificate management mode. Possible values are vmca, custom, thumbprint.

vmware vsphere web client vcenter edit advanced vcenter server settings esxi vpxd.certmgmt.cert.cn country email localityname orgnizationalunitname, daysvalid certificate.png

Once vCenter server's certificate related advanced settings are configured, go to each esxi server's >> Configure tab >> Certificate option. Here check the certificate subject, information related email address, orgnizationunitname, location and related information is the default one respective to VMware. First Renew certificate for the esxi host and then Refresh CA certificates. Press yes to confirm.

vmware vsphere vcenter webclient certificate renew, refresh ca certificates subject replace esxi certificate properties from vcenter advanced settings certmgmt.png

Once certificate is renewed and refreshed, verify the certificate subject now. it will be pertaining to I filled up certificate data in advanced settings of vCenter server.

vmware vsphere ui client vcenter esxi configure certificate renew refresh ca certificate subject certmgmt advanced settings engineering vmware issuer vcenter.png

Useful Articles
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices
Configure SNMP on ESXi Server GUI :Vmware Best Practices

Go Back

Comment

Blog Search

Page Views

3618765

Follow me on Blogarama