Generating SSL Certificates for ESXi Hosts using PowerShell

If you have ever had to generate SSL certificates for all of your hosts, you know that this is no trivial task, especially if you have a large environment. I wrote a script that generates the CSR, converts the key to RSA, and requests the certificate from the CA. It puts everything neatly into c:\certs\hosts\hostname so you can keep it with the certs from the rest of VMware’s recommended SSL path. I am making the assumption that if you are reading this you are somewhat familiar with the process for the other components and these concepts are not foreign.

The first step is to create the OpenSSL cfg files, one for each host. These are in the same format that is used for all of the other components. I have not yet created a script to generate these, but if I do I’ll add it here. I created a folder at c:\certs\hosts\opensslcfg to store the cfg files with the naming convention of hostname.cfg.

My script makes the following assumptions:

  1. You have created an openssl cfg files for each host
  2. You have the proper version of openssl installed to c:\openssl (if not, just change the path in the script)
  3. You are using a Microsoft CA
  4. You know what certificate template you want to use (same as used for other components)
  5. You have access to request the certificates

There are plenty of ways you could feed hostnames into the script, I just used a CSV exported from an Excel spreadsheet that I use to keep track of my environment. The CSV looks something like this:

Hostname,Management IP,vMotion IP,Cluster

Once you have all of the prerequisites intact, all that is left is to run the script:

Here is the code:

#Set Variables
$vmhosts = import-csv c:\certs\hosts\hostnames.csv
$ca = """\CAname"""
$template = "CertificateTemplate:VMware-SSL"

foreach($vmhost in $vmhosts){
	$name = $vmhost.Hostname
	$dirpath = "c:\certs\hosts\" + $name
	new-item -ItemType directory -path $dirpath
	$path = "c:\certs\hosts\" + $name + "\"
	$csr = "c:\openssl\bin\openssl.exe req -new -nodes -out " + $path + "rui.csr -keyout " + $path + "rui-orig.key -config c:\certs\hosts\opensslcfg\" + $name + ".cfg"
	$key = "c:\openssl\bin\openssl.exe rsa -in " + $path + "rui-orig.key " + "-out " + $path + "rui.key"
	$reqcert = "C:\windows\system32\certreq.exe -config " + $ca + " -attrib " + $template + " " + $path + "rui.csr " + $path + "rui.crt"
	IEX $csr | out-null
	IEX $key | out-null
	IEX $reqcert | out-null

After the certificates have been generated, all that is left is to install them. This requires putting the host in maintenance mode, copying the appropriate rui.crt and rui.key to /etc/vmware/ssl on each host, and then restarting the management agents. Here is the official VMware KB article on the subject.


This entry was posted in PowerShell, VMware and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *