ESXi主機SSL證書更換
1、生成證書請求檔案rui.csr及私鑰rui.key
a、建立esxi.cfg檔案内容如下:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:esxi-dell, DNS:192.168.191.23, DNS:esxi-dell.demo-cq.cn
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = ChongQing
localityName = CQ
0.organizationName = Demo-cq, Inc
organizationalUnitName = esxi-dell
commonName = esxi-dell.demo-cq.cn
b、openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config esxi.cfg
c、Convert the Key to be in RSA format by running the following command:
openssl rsa -in rui-orig.key -out rui.key
2、向使用證書請求檔案rui.csr向CA申請證書rui.crt
a、使用Microsoft CA
For Microsoft CAs:
Note: For Windows Server 2003 CA's, Enterprise edition is required. Other Windows Server 2003 editions do not have the correct templates for exporting a valid SSL certificate.
- Log in to the Microsoft CA certificate authority web interface. By default, it is http://<servername>/CertSrv/
- Click Request a certificate.
- Click advanced certificate request.
- Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Open the certificate request in a plain text editor.
- Copy from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- into the Saved Request box.
- Click Web Server when selecting the Certificate Template.
- Click Submit to submit the request.
- Click Base 64 encoded on the Certificate issued screen.
- Click Download Certificate.
- Save the certificate on the desktop of the server as rui.crt. When complete, proceed to Installing and configuring the certificate on the ESXi host to complete the configuration of the custom certificate.
來自 <http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2015499>
b、使用Openssl CA
openssl ca -in rui.csr -out rui.crt
3、将Esxi主機置于維護模式,并打開ssh
3、使用winSCP,sftp等工具将rui.crt和rui.key上傳至esxi主機目錄:/etc/vmware/ssl 并覆寫目前檔案
4、重新啟動管理程序(在DCUI---troubleshooting-restart agent)
或執行指令: services.sh restart
5、通路https://esxi_IP 檢視目前證書即可驗證是否成功
KB: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2015499