Manage Learn to apply best practices and optimize your operations.

Creating your own Certificates for the MUI

These are the instructions on how to use your own certificates with the MUI – rather than the self-generated ones from the installation of ESX.

This month I have the instructions on how to use your own certificates with the MUI – rather than the self-generated ones from the installation of ESX.

The creating the request part of this could be easily used with a 3rd party certificate authority such as Versign or Thwate. But this guide is geared up for those who run their own Certificate Authorities internally. The CA I used in my example ran on Windows 2003. But I guess it would work much the same on Windows 2000. 

Creating & Assigning your own Certificates for the MUI

From the official admin guide PDF: 

With SSL enabled, security certificates are created by ESX Server and stored on the server. However, the certificates used to secure your management interface sessions are not signed by a trusted certificate authority; therefore they do not provide authentication. If you intend to use encrypted remote connections externally, you should consider purchasing a certificate from a trusted certificate authority. If you prefer, you can use your own security certificate for your SSL connections. 

The VMware Management Interface certificate must be placed in /etc /vmwaremui /ssl (directory). The management interface certificate consists of 2 files: the certificate itself (mui.crt) and the private key file (mui.key). The private key file should be readable only by the root user. When you upgrade the management interface, the certificate remains in place and, in case you removed the management interface, the directory is not removed from the service console.”

This guide assumes that the Certificate of Authority (CA) has already been installed, and that the CA you are using is based in Windows 2003 in an Enterprise Mode. Enterprise Mode gives good integration with Active Directory. For example, clients who are part of the Active Directory domain automatically trust the Enterprise CA. It also assumes that you are happy using things like cd, nano or vi, Windows Secure Copy.

We can use openssl which is already installed to the Service Console to generate a new private key, and request file

  1. At Logon on the Service Console as ROOT
  2. Navigate to /etc/vmware-mui/ssl
  3. Create a backup directory for the old key/crt files with mkdir backup
    Move the existing key/crt files to this backup directory with


    mv *.* ./backup

  4. Restart the MUI with

    service httpd.vmware restart

    If you try to connect to the MUI now using https – you will receive a failure – because the certificate can no longer be found

  5. Generate a new private key with

    openssl genrsa 1024 > mui.key

  6. We can generate a certificate request in a text file format with:

    openssl req -new -key ./mui.key > request.csr

    When you run this you will be prompted for information which will be incorporated into your certificate request. Complete this form/wizard with information like so – remember to type your DN (Distinguished Name or FQDN to Windows people correctly!)

  7. Open the request.csr file with your preferred editor such as:

    nano -w request.csr

  8. Highlight all the text and copy

    Make sure you include ALL the text including —-BEGIN CERTIFICATE REQUEST—- and —-END CERTIFICATE REQUEST—-

At Windows 2003 Certificate Authority

  1. Navigate to http://yourCAservername/certsrvand login if prompted
  2. Choose Request a Certificate
  3. Choose Or submit an advanced certificate request.
  4. Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
  5. In the Saved Request edit box - use control+v to paste the contents of the request.csr file
  6. Underneath Certificate Template select Web Server and click the Submit button

    If you are logged on as the Administrator of the CA, it will be automatically issued to you. It is assumed you trust yourself. If you are not the CA administrator you will have to inform them that you have made a request and wait for them to “issue” it using the Certificate Authority admin tool – then return to the certsrv website to check on your “pending” request and download it.

    You may wish at this point to check if your workstation has the Enterprise ROOT CA certificate (Internet Explorer 6.1, Tools, Options, Content, Certificates, Trusted Root Certification Authorities – and look for a name known within your organization, rather than a third party one)

    If it is not installed then, revisit the http://yourCAservername/certsrv and click Download a CA certificate, certificate chain, or CRL and choose Download CA Certificate

  7. Click the Download Certificate link
  8. In the dialog box choose Save calling it mui.crt

    If you just type mui – then Microsoft will add the .cer extension, rather than the crt extension which is used in the MUI. If you copy the file to the mui, it will not be recognized by httpd.conf

  9. Using something like WinSCP copy the mui.crt to /etc/vmware-mui/ssl

Back at the Service Console

  1. Logon to the Service Console as ROOT
  2. Restart the MUI with

    service httpd.vmware restart

    You should be able to load up your web-browser
    Type in the FQDN of you server

    If you double-click at the “Lock in your browser” it would look something like the Certificate Path tab in the dialog box


Dig Deeper on VMware ESX and ESXi administrative tips