Ever received a Security Warning while logging into either you ESX/i host and/or vCenter?
That’s due to the SSL certificate being untrusted with your machine. You can always click the «Ignore» button or check the «Install this certificate…» box and then «Ignore» and move on, however you can improve the security by replacing the certificates with certificates signed by a commercial certificate authority (CA).
To generate an RSA Key and certificate signing request (CSR), we’ll start by downloading the OpenSSL-Light application on the system you’ll be installing or have already installed a VMware application. The application is available from the following site: http://www.slproweb.com/products/Win32OpenSSL.html
Download the «Win32 OpenSSL v1.0.0e Light» application along with the «Visual C++ 2008 Redistributables». Once downloaded, run the Visual C++ file (in this case, «vcredist_x86.exe»). Click «Next», check the «I have read and accept the license terms.» box and click «Install», wait a couple seconds and click «Finish».
Now it’s time to install OpenSSL by running the «Win32OpenSSL_Light-1_0_0e.exe» and installing it to your desired location. Click «Next», accept the agreement and click «Next», choose an install location (default is the root of C:, but I don’t like cluttering up the root of C:) and click «Next», click «Next», change the option so that the OpenSSL DLLs are copied to the OpenSSL binaries (/bin) directory and click «Next», then click «Install», once the installer is finished click «Finish».
From this point, open up a command prompt and navigate to the bin folder within the location of the installation of OpenSSL. To generate the key, run the following command:
openssl genrsa 1024 > rui.key
Once that is complete, generate the CSR by running this command:
openssl req -new -key rui.key > rui.csr
After running the command, you’ll be asked to populate some information regarding your country name, state, city, organization name and unit, common name and email address.
If you happen to receive the error: «WARNING: can’t open config file: /usr/local/ssl/openssl.cnf» this is due to OpenSSL being unable to find the openssl.cnf file. To correct this error, run the following command:
set OPENSSL_CONF=c:\[PATH TO OPENSSL DIRECTORY\]binopenssl.cfg
After creating the CSR, submit it to either the admin of your Microsoft Certificate Services CA or to whomever handles the certificates from a commercial CA.