Virtualization, Cloud, Infrastructure and all that stuff in-between

My ramblings on the stuff that holds it all together

Find which SSL certificate is being used on an ESX host

If you have been through the pain of changing ESX host certificates from self-signed to real (CA signed certificates), you can check which certificate you are currently using for vCenter–>ESX host traffic by issuing the following command in an SSH session on the host

openssl x509 -noout -in /etc/vmware/ssl/rui.crt –text

You will see the details inside the SSL cert, signing authority etc. If the SSL cert contents make reference to VMware, you’re still using a self-signed certificate.

The vpxa (vCenter management) service on the ESX host is hard-coded to use /etc/vmware/ssl/rui.crt when the service is started (or restarted) so you can examine its properties using the above command to check
I can’t find any graphical way of checking this in the VI Client.

2 responses to “Find which SSL certificate is being used on an ESX host

  1. Richard Kenyan December 4, 2014 at 5:41 pm

    When I try this on my 5.0 esxi box, it says unknown option -text, and then lists all the options I can use (including -text!).
    I’m on OpenSSL 0.9.8za 5 Jun 2014.
    I had to remove -noout.
    This works…”openssl x509 -in /etc/vmware/ssl/rui.crt -text”

  2. Byron Morrison June 18, 2015 at 11:38 pm

    Hey Richard Kenyan, when you copy and past the link it changed the “-” to a “.” so you will need to ensure that it says “-text” not “.text”

    I had the same issue.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: