3

I would like to replace the (self signed) SSL certs on various ESXi 5.5 hosts with ones generated by our own CA. I found docs on the VMware site on how to overwrite the key and cert files on the ESXi host, but NOT on how to generate a CSR on the host.

Can someone explain how to generate the CSR on the esxi host?

TSG
  • 1,634
  • 6
  • 29
  • 51

1 Answers1

1

The CSR can be generated on any host - It doesn't need to be generated on the host that will receive the certificate.

When you generate the CSR, you will be asked for the Common Name (CN) which the Certificate will be issued for, in which case you enter the ESXi server's DNS name.

You will need a machine with a recent version of OpenSSL to issue a CSR.

VMware have a KB article on how to issue a CSR for ESXi 5.1 (which mostly applies to 5.5 also). It seems VMware also recommend generating the CSR from your local machine, as opposed to directly on the host.

See this answer for more information about CSRs in general.

danw3108
  • 36
  • 5
  • What about a key file? Do I generate that too and just place on the ESXi host? I use XCA so I have a friendly interface to generating certs. But I've never encountered the need to generate a cert w/o csr, nor generate a (private?) key for the server – TSG Mar 23 '16 at 19:52