Разное‎ > ‎

Замена ssl сертификата.

Источник: http://www.vm-help.com/esx/esx3i/change_name_and_cert.php

Updating the SSL Certificate for your host

Should you change your host's hostname or domain after an install, the SSL certificate for the host will still be issued to localhost.localdomain. You can either regenerate a self-signed certificate for your ESXi host or replace the certificate from one generated by a certificate authority.

Regenerate your host's self-signed certificate
1) Access the console of ESXi. If you have not done that before, follow the first three steps on this page.
2) Run the command /sbin/create_certificates as shown in the image below. This will replace both the private key and SSL certificate for the host. These files are located in /etc/vmware/ssl/
3) Enter the command reboot to restart the host. The certificate for the host will now reflect the hostname and domain changes that you have made.

Replace the host's certificate with one generated by a certificate authority

The below steps used OpenSSL which can be downloaded from here and a Microsoft Windows 2003 Server Certificate Authority.

1) Download and install OpenSSL from the link provided. If you've using Linux, your host may already have the OpenSSL package. If you are using Windows, you may also need to download the Microsoft Visual C++ 2008 Redistributable Package.
2) Generate a new private key with the command openssl genrsa 1024 > rui.key.
3) Create a new certificate request by running the command openssl req -new -key rui.key > rui.csr. A wizard will run and prompt you for information for the certificate request.

4) Open the rui.csr file with a text editor and copy the contents. If using Windows, avoid using Notepad as it may insert extra characters into the copied text.
5) Open the certificate request page for your Windows 2003 CA server. This is typically http://<hostname>/certsrv.
6) Click on the "Request a Certificate" link followed by the "advanced certificated request" link on the Request a Certificate page.
7) Select the link "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
8) On the certificate request page enter the text from the rui.csr file and change the Certificate Template to Web Server. Then click Submit.

9) On the certificate issued page, select the "Based 64 encoded" option and then download the certificate to your PC
10) Run the command on the certificate that you downloaded: openssl x509 -in certnew.cer -out esx.cer.
11) Copy the private key and certificate to your ESXi host with the following RCLI commands
     vifs.pl --server esx05.mishchenko.net --put rui.key /host/ssl_key
     vifs.pl --server esx05.mishchenko.net --put esx.cer /hest/ssl_cert

12) Restart the ESXi and verify that the certificate has been installed correctly. If there is a problem with the certificate, you may not be able to login to the host with the VI client. If that's the case, then run /sbin/create_certificates at the console and reboot the host.