Change the Machine SSL Certificate of an ESXi Host
You can use PowerCLI to change the Machine SSL certificates of one or more ESXi hosts in your vSphere environment.
Prerequisites
-
Verify that the root certificate of the CA you are going to use is added to the trusted root store of vCenter Server and to the connected ESXi hosts.
Procedure
- Connect to the vCenter
Server system.
$vCenterConnection = Connect-VIServer vc1.example.com ` -User 'My User' ` -Password 'My Password'
- In the vCenter
Server system, retrieve the setting for the ESXi host certificate management mode.
$certModeSetting = Get-AdvancedSetting "vpxd.certmgmt.mode" -Entity $vCenterConnection $certModeSetting.Value
- Change the setting to custom.
Set-AdvancedSetting $certModeSetting -Value "custom"
- For the new certificate management mode to take effect, reboot your vCenter Server system.
- Connect to the vCenter
Server system.
$vCenterConnection = Connect-VIServer vc1.example.com ` -User 'My User' ` -Password 'My Password'
- Set the ESXi host you want to manage to Maintenance mode.
$vmhost = Get-VMHost 'MyESXiHost' ` Set-VMHost -VMHost $vmhost -State Maintenance
-
Generate a certificate signing
request (CSR) for the ESXi host.
$esxRequest = New-VIMachineCertificateSigningRequest ` -VMHost $vmhost ` -Country "US" ` -Locality "San Francisco" ` -Organization "My Company" ` -OrganizationUnit "PowerCLI" ` -StateOrProvince "California" ` -CommonName <ESXi host's FQDN> or <ESXi host's IP address>
Note:For CommonName, you must use either the ESXi host's FQDN or IP address. The common name must match the identifier you use to add the host to the vCenter Server system.
- Save the CSR to your system.
$esxRequest.CertificateRequestPEM | Out-File "C:\Users\jdoe\Downloads\esx.csr.pem" -Force
- Send the CSR to the CA of your choice.
- Save the issued custom certificate to your machine.
- Create a variable with your issued custom certificate.
$esxCertificatePem = Get-Content "C:\Users\jdoe\downloads\myesxcert.pem" -Raw
- Remove the ESXi host from the vCenter
Server system.
Remove-VMHost $vmhost
- Disconnect from the vCenter
Server system.
Disconnect-VIServer $vCenterConnection
- Connect directly to the ESXi host.
$esxConnection = Connect-VIServer $vmhost.Name ` -User 'My User' ` -Password 'My Password' ` -Force
-
Set the custom Machine SSL
certificate to the ESXi host.
$targetEsxHost = Get-VMHost $vmhost.Name Set-VIMachineCertificate -PemCertificate $esxCertificatePem -VMHost $targetEsxHost | Out-Null
- To apply the change, restart the ESXi host.
Restart-VMHost $targetEsxHost
- Disconnect from the ESXi host.
Disconnect-VIServer $esxConnection
- Connect to the vCenter
Server system.
$vCenterConnection = Connect-VIServer vc1.example.com ` -User 'My User' ` -Password 'My Password'
- Add the ESXi host to the vCenter
Server system.
$vmhost = Add-VMHost -Name <ESXi host's FQDN> or <ESXi host's IP address> ` -Location (Get-Datacenter "My Datacenter")` -User "My User" ` -Password "My Password"
- Set the ESXi host to the Connected mode.
$vmhost = Set-VMHost -VMHost $vmhost -State Connected
- (Optional)
Verify that the Machine SSL
certificate of the ESXi host is changed.
Get-VIMachineCertificate -VMHost $vmhost