In Google Chrome, it doesn’t remember what username/password you had entered into a web page if the SSL certificates are not valid. VMware ESXi uses a self-signed certificate by default for it’s web interface and so, Google Chrome doesn’t see this as valid. This makes logging into my ESXi host a little more cumbersome then I want. To fix it, we create a certificate authority, create a private key, create a signing request, create the certificate, and finally apply it all. Most of this will be done with a script to help automate it.

Certificate Authority

Create blank directory and cd into it.

$ mkdir sslcerts
$ cd sslcerts

Create a private key for your certificate authority.

$ openssl genrsa -des3 -out ca.key 2048

Create a public key for your new root certificate authority.

$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem

Import the ca.pem into your trusted root certificate authority store on your desktop/laptop. This will allow your computer to trust anything signed by this certificate authority.

ESXi Certificates

This script will create the needed private key and public certificate.

#!/bin/bash

FQDN=${1}
HN=${2}
IP=${3}

if [ ! "${3}" ];
then
  echo "usage: ${0} fqdn hostname ip"
  exit
fi

cat > /tmp/vmware_csr << EOF
default_md = sha512
default_bits = 4096
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ req_distinguished_name ]
countryName = "US"
stateOrProvinceName = "ST"
localityName = "City"
0.organizationName = "Example.org"
organizationalUnitName = "Example.org"
commonName = "${FQDN}"

[ alt_names ]
DNS.1 = ${FQDN}
DNS.2 = ${HN}
IP.1 = ${IP}
EOF

cat > /tmp/vmware_ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${FQDN}
DNS.2 = ${HN}
IP.1 = ${IP}
EOF

mkdir -p ${FQDN}
# Generate private key
openssl genrsa -out ${FQDN}/${FQDN}.key 4096
# Generate customer signing request
openssl req -new -nodes -out ${FQDN}/${FQDN}.csr -keyout ${FQDN}/${FQDN}.key -config /tmp/vmware_csr
# Generate certificate
openssl x509 -req -in ${FQDN}/${FQDN}.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out ${FQDN}/${FQDN}.crt -days 365 -sha256 -extfile /tmp/vmware_ext
rm ${FQDN}/${FQDN}.csr
rm /tmp/vmware_csr
rm /tmp/vmware_ext

echo
echo You need to do something like the following for the new certificate to take effect:
echo scp ${FQDN}/${FQDN}.crt root@${FQDN}:/etc/vmware/ssl/rui.crt
echo scp ${FQDN}/${FQDN}.key root@${FQDN}:/etc/vmware/ssl/rui.key
echo ssh root@${FQDN} /etc/init.d/hostd restart

Supply the script with the fully qualified domain name, hostname, and IP address

$ bash gen_vmware_esxi_certificate esxi.example.org esxi 172.16.16.1
Generating RSA private key, 4096 bit long modulus (2 primes)
...........................................................................++++
........................................++++
e is 65537 (0x010001)
Generating a RSA private key
................................................................................................................................................................................................................................................++++
.......................................................................++++
writing new private key to 'esxi.example.org/esxi.example.org.key'
-----
Signature ok
subject=C = US, ST = ST, L = City, O = My Org, OU = My Dept, CN = esxi.example.org
Getting CA Private Key
Enter pass phrase for ca/ca.key:

You need to do something like the following for the new certificate to take effect:
scp esxi.example.org/esxi.example.org.crt esxi.example.org:/etc/vmware/ssl/rui.crt
scp esxi.example.org/esxi.example.org.key esxi.example.org:/etc/vmware/ssl/rui.key
ssh esxi.example.org /etc/init.d/hostd restart

You will need to copy the crt and key to the ESXi server as hinted in the above output.

References

  1. https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
  2. https://www.vmwareblog.org/replace-default-esxi-ssl-certificate-self-signed-certificate-101-introduction/
  3. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-AC7E6DD7-F984-4E0F-983A-463031BA5FE7.html