Replacing self-signed SSL certificates to improve ESXi security

By default, VMware uses self-signed SSL certificates to establish a secure connection between a client and server, but some organizations may find that the default SSL certificates are not secure enough.

More on VMware SSL certificates

Certificates and the 

    Requires Free Membership to View

VMware Infrastructure 3 SDK

Creating and applying certificates in
VMware View

The default, self-signed SSL certificates are fine, as long as communication remains within a private network. However, any time traffic is sent across the Internet – which may occur when establishing a remote-management session with a vSphere infrastructure – it is better to use certificates signed by a trusted third party, which will verify the identity of your server.

Secure Sockets Layer (SSL) is a protocol that allows organizations to securely pass information between servers and clients. SSL uses a public/private key pair to encrypt data on the wire and to guarantee the identity of the server that you are communicating with.

When a user’s computer makes contact with a server, the server will send its public key infrastructure (PKI) certificate file. In the case of a signed certificate, a third party, known as a certificate authority, certifies that the certificate is authentic. However, these certificate costs money, and that´s why VMware uses self-signed SSL certificates by default.

Using a self-signed SSL certificate still ensures that the data is encrypted, but users cannot confirm that they are connecting to your server. Most Web browsers will notify a user if a secure connection is not signed by a certificate authority, flagging the connection as potentially dangerous. You can see this the first time you use the vSphere Client to connect to the ESXi host, which displays a message that the identity of your host cannot be verified.

Replacing self-signed SSL certificates
In most cases, your host is in your data center, so verifying its identity isn’t that important. In an environment that requires an increased level of security, you can replace the self-signed SSL certificate with a certificate generated by an external, trusted authority. Many organizations require certificates from third-party authorities to remain compliant with current regulations. You can request signed certificates from a certificate authorities, such as Thawte, Verisign or CACert.

The external certificate authority will send two files: One file with the extension .key, and another with the extension .crt. The .key file is the private key for your ESXi host, and you should protect access to it. The .crt file is the PKI certificate, which is sent to the client when the connection is initiated. This file is offered to the user who wants to connect with your server. You should make sure to copy these files to your ESXi server.

To copy the files to your ESXi host, you need to use the vCLI interface. You can download the vCLI installer for free from the VMware website. After you download the vCLI interface, open a command shell in Windows, and use the cd command to activate the vCLI folder (c:\Program Files\VMware\VMware vSphere CLI\bin by default). You can now copy the .key and .crt files to the correct location on the ESXi host using the commands below.

vifs --server youresxiserver.example.com --put yourkey.key /host/ssl_key
vifs --server youresxiserver.example.com --put yourkey.crt /host/ssl_cert

These commands assume that the files are in your current directory, so make sure to adjust the code to refer to the directory where you have downloaded these files. After copying over the files, restart the management interface to use them immediately.

Replacing self-signed SSL certificates on the ESXi host isn’t difficult and may give users an added sense of security when connecting to your server. But, first, you must weigh the cost of using a certificate authority, if regulations pertaining to your organization don’t prohibit self-signed SSL certificates.

This was first published in May 2012

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.