By default, VMware host servers, like ESXi hosts typically generate new certificates when the hypervisor is installed on bare-metal hardware. Through the process of configuring the host and allocating resources, it is common for the server configuration to undergo many settings changes as you harden your device.
Among the hardening steps your organization may employ, joining an Active Directory (AD) domain helps administrators to simplify management of underlying hypervisor used to host virtual machines (VM) by centralizing the management of user accounts and groups allowed to access to the server, as well as what changes they are authorized to make.
SEE: Information security policy template download (Tech Pro Research)
However, while the process to join the server to AD may be straightforward, it can and certainly will consistently fail if the SSL certificates used by the VMware host are expired, invalid, or otherwise corrupted. These all pose a difficulty in getting the server to authenticate domain accounts, which will leave users unable to maintain the server until it is resolved. But how can you fix this once it’s happened? Or worse yet, if you’ve never been able to join it to the domain in the first place?
Before we get into the process, there are a few requirements we need to adhere to, just to make sure everything works accordingly.
- Bare-metal server with VMware hypervisor installed
- ESXi Shell enabled
- Local admin/root account to VMware host
- Windows or Mac computer
- SSH client
- Broadband ISP (Optional; But may be required depending on your setup)
- Switched network (Optional; But may be required depending on your setup)
Back up existing certificates
Log in to the ESXi Shell with your local admin account. Enter the following command to change the working directory to the location where we need to work from:
cd /etc/vmware/ssl
Enter the following commands to create back-up copies of both the CRT and KEY files associated with your server:
mv rui.crt rui.crt.bak mv rui.key rui.key.bak
Generating new certificates
Log in to the ESXi Shell with your local admin account. Enter the following command to create the new certificates:
/sbin/generate-certificates
The new certificates will overwrite the previous ones, but not the backups we created in the prior section with the BAK extension. Verification of the new certificates can be made by enter the following command and comparing the time stamps:
ls -la
Reboot the host server manually or by entering the following command to complete the configuration change:
esxcli system shutdown reboot --reason "Reason for reboot"
Note: Another way to obtain visual confirmation is by logging onto the ESXi host via web client and navigating to the Security & Users tab | Certificates. Under the Subject section, the host name of your VMware host should match the name after “CN=”.