Security – Part Three: Generating ESXi Host Certificates

Posted on by Dean Grant

In order to secure connections between clients, ESXi host systems and the vCenter Server system SSL is used. When an ESXi host system or vCenter Server system is installed, the installation will include SSL certificates by default to establish an initial connection. In order to connect ESXi host systems to a managed vCenter Server system and to connect to those managed objects the SSL certificate is used.

For SSL certificates generated in VMware products these use standard X.509 version 3 (x.509v3) certificates to encrypt session information over the SSL protocol connections between the client and the server.  When replacing the default ESXi host system and vCenter Server system you are required to generate your SSL certificates to conform to the Privacy Enhanced Mail (PEM) key format and to be signed. The key used to sign certificates must be a standard RSA key with an encryption length which ranges between 512 and 4.096 bits, where the VMware recommendation is 2,048.

If you replace a certificate with one signed by your own local root CA or plan to use the default certificates, you must pre-trust the certificate by importing into the local certificate store for each vSphere Client instance. For certificates signed by a local root CA you must pre trust any valid default certificates you will continue to use on the vCenter Server system. For ESXi host systems that are exposed to the internet, you should use a trusted commercial security authority.

On an ESXi host system, the two default certificate files are located at:

  • Private Key – /etc/vmware/ssl/rui.key
  • Certification File – /etc/vmware/ssl/rui.crt

In order to replace the default SSL certificates perform the following on an ESXi host system:

1) Connect to the ESXi host system using a SSH client as root user.

2) Create a backup of the existing certificates if they exist on the ESXi host system.

/etc/vmware/ssl # mv rui.crt rui.crt.backup
/etc/vmware/ssl # mv rui.key rui.key.backup

3) Generate the new certificates on the ESXi host system or replace the default certificate with CA signed certificate.

/bin # generate-certificates

4) Restart the services or alternatively restart the ESXi host system.

services.sh restart

We may also configure timeout values that can affect the SSL connection for when a connection becomes idle that can be configured for an ESXi host system. By default, SSL connections between the server and the client do not timeout. There are two timeout settings which can be configured on an ESXi host system, these being:

  • Read Timeout – connections that have completed the SSL handshake process using TCP service port 443 of the ESXi host system.
  • Handshake Timeout – connections that have not completed the SSL handshake process using TCP service port 443 of the ESXi host system.

The timeout values can be configured by connecting to an ESXi host system using a SSH client and modifying the file ‘/etc/vmware/hostd/config.xml’ file and adding the below which requires a  restart of the vmware-hostd process to apply the configuration change.

<vmacore>
  <http>
     <readTimeoutMs>20000</readTimeoutMs>
  </http>
  <ssl>
    <handshakeTimeoutMs>20000</handshakeTimeoutMs>
  </ssl>
</vmacore>
services.sh restart

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s