替换esxi主机SSL证书

 

ESXi主机SSL证书更换

 

1、生成证书请求文件rui.csr及私钥rui.key

 

a、创建esxi.cfg文件内容如下：

 

[ req ]

 

default_bits = 2048

 

default_keyfile = rui.key

 

distinguished_name = req_distinguished_name

 

encrypt_key = no

 

prompt = no

 

string_mask = nombstr

 

req_extensions = v3_req

 

 

 

[ v3_req ]

 

basicConstraints = CA:FALSE

 

keyUsage = digitalSignature, keyEncipherment, dataEncipherment

 

extendedKeyUsage = serverAuth, clientAuth

 

subjectAltName = DNS:esxi-dell, DNS:192.168.191.23, DNS:esxi-dell.demo-cq.cn

 

 

 

[ req_distinguished_name ]

 

countryName = CN

 

stateOrProvinceName = ChongQing

 

localityName = CQ

 

0.organizationName = Demo-cq, Inc

 

organizationalUnitName = esxi-dell

 

commonName = esxi-dell.demo-cq.cn

 

 

 

 

 

b、openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config esxi.cfg

 

 

 

c、Convert the Key to be in RSA format by running the following command:

 

 

 

openssl rsa -in rui-orig.key -out rui.key

 

 

 

2、向使用证书请求文件rui.csr向CA申请证书rui.crt

 

a、使用Microsoft CA

 

For Microsoft CAs:

 

 

 

Note: For Windows Server 2003 CA's, Enterprise edition is required. Other Windows Server 2003 editions do not have the correct templates for exporting a valid SSL certificate.

 

1. Log in to the Microsoft CA certificate authority web interface. By default, it is http://<servername>/CertSrv/
2. Click Request a certificate.
3. Click advanced certificate request.
4. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5. Open the certificate request in a plain text editor.
6. Copy from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- into the Saved Request box.
7. Click Web Server when selecting the Certificate Template.
8. Click Submit to submit the request.
9. Click Base 64 encoded on the Certificate issued screen.
10. Click Download Certificate.
11. Save the certificate on the desktop of the server as rui.crt. When complete, proceed to Installing and configuring the certificate on the ESXi host to complete the configuration of the custom certificate.

 

 

 

来自 <http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2015499>

 

 

 

 

 

b、使用Openssl CA

 

openssl ca -in rui.csr -out rui.crt

 

3、将Esxi主机置于维护模式，并打开ssh

 

3、使用winSCP，sftp等工具将rui.crt和rui.key上传至esxi主机目录：/etc/vmware/ssl  并覆盖当前文件

 

4、重新启动管理进程(在DCUI---troubleshooting-restart agent)

 

或执行命令: services.sh restart

 

5、访问https://esxi_IP    查看当前证书即可验证是否成功

 

KB: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2015499