Three Ways to Get Certificate and Thumbprint from ESXi

Happy New Year 2014!

When adding a new ESXi host to vCenter server via vSphere API, you can supply the certificate thumbprint of the ESXi server expected to have. Before calling the vSphere API, you can get the thumbprint directly or indirectly from the ESXi server to be added. Here are three different ways to do that. The first two approaches retrieve SSL certificate with which you can generate thumbprint.

Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.

“Unable to verify the authenticity of the specified host. The SHA1 thumbprint of the cerificate is:
Do you wish to proceed with connecting anyway? Choose “Yes” if you trust the host. The above information will be remembered until the host is removed from the inventory. Choose “No” to abort connecting to the host at this time.”

1. Direct URL
If you issue the following URL in a browser, you would get a prompt for username and password. Once it’s authenticated, the full certiciate will be shown in the browser body.

For automation, you can also use wget or curl to get the certificate string directly.

2. MOB/vSphere APIs
You can also use MOB to retrieve the information as well. The URL is like the following. You will need username and password too.

The problem is that the certificate is displayed as decimal value for each byte. It’s not easy for automation. To get the byte array, you want to use the vSphere API for the following property defined in HostSystem managed object type:


With the certificate, you can geneate the thumbprint either through command line like keytool, or programming. Check out this Q&A at stackoverflow.

3. OpenSSL via SSH

You can also connect directly to an ESXi and use openssl command to geneate the thumbprint directly as follows. The /etc/vmware/ssl/rui.crt contains exactly the same content as you get from approach one.

~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint
SHA1 Fingerprint=5B:B1:4C:1F:5A:F2:41:4A:89:82:99:42:21:4C:A4:55:84:04:48:5A

You need to copy/paste the string after the =. To display the thumbprint only, you can use cut command to process it.

~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint | cut -d '=' -f 2
This entry was posted in Uncategorized and tagged , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

One Comment

  1. Hao
    Posted May 19, 2014 at 9:11 pm | Permalink


    Is there a way from VI Java API to get the thumbprint , I found always failed to add a host into VC without a thumbprint using vi java api


One Trackback

  • By Newsletter: January 18, 2014 | Notes from MWhite on January 20, 2014 at 9:05 am

    […] to actually do it right, and confirm the info is correct you can.  The info to do that is found here.  I think that this is not as important for most of us as it is for some of […]

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.