DoubleCloud => Private Cloud + Public Cloud

Happy New Year 2014!

When adding a new ESXi host to vCenter server via vSphere API, you can supply the certificate thumbprint of the ESXi server expected to have. Before calling the vSphere API, you can get the thumbprint directly or indirectly from the ESXi server to be added. Here are three different ways to do that. The first two approaches retrieve SSL certificate with which you can generate thumbprint.

“Unable to verify the authenticity of the specified host. The SHA1 thumbprint of the cerificate is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Do you wish to proceed with connecting anyway? Choose “Yes” if you trust the host. The above information will be remembered until the host is removed from the inventory. Choose “No” to abort connecting to the host at this time.”

1. Direct URL
If you issue the following URL in a browser, you would get a prompt for username and password. Once it’s authenticated, the full certiciate will be shown in the browser body.

https://192.168.8.25/host/ssl_cert

-----BEGIN CERTIFICATE-----
MIID8jCCAtqgAwIBAgIHALx+O+KA/jANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQK
ExBWTXdhcmUgSW5zdGFsbGVyMB4XDTEyMTIxNjEzMjgwOFoXDTI0MDYxNjEzMjgw
OFowgfoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH
EwlQYWxvIEFsdG8xFDASBgNVBAoTC1ZNd2FyZSwgSW5jMS4wLAYDVQQLEyVWTXdh
cmUgRVNYIFNlcnZlciBEZWZhdWx0IENlcnRpZmljYXRlMSowKAYJKoZIhvcNAQkB
Fhtzc2wtY2VydGlmaWNhdGVzQHZtd2FyZS5jb20xHjAcBgNVBAMTFWxvY2FsaG9z
dC5sb2NhbGRvbWFpbjEwMC4GCSqGSIb3DQEJAhMhMTM1NTY2NDQ4Nyw1NjRkNzc2
MTcyNjUyMDQ5NmU2MzJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rmNz9aCUwHy9+LbqLhx4naNtTzmkkKilhLG65IzLdj4FPjorBxi9/iAQ6O/XNxT6
TLFSh8kEhZ/ZwDHQuLVHMEy/IpaB6i7rIO+CjUkWqhqBpkDdIz4V4RAWE/RksIbD
R//Ow9XHt93hZPaQtAxLVP8SqE+RR/zPbKBx6QVuFPyxZzk2sEGVHyJwD8J2i6t8
ZFIv38KwRLGSE0/7QW+DKgDXKdG6VSHkMAVyktZSSZc5bdB2AutWHtuaS+48cnsm
SohETHa/XzLaMpvYMs7ccWUN9utKJTZAy3cMiWrFipcKgOQd5WgZ2gCgZEOTJnZv
EYbFXTD/Ef+0iViGgWYB6wIDAQABo1swWTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
sDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVbG9j
YWxob3N0LmxvY2FsZG9tYWluMA0GCSqGSIb3DQEBBQUAA4IBAQBZhI3nusvZiWpL
H/wYfk2+anT/ZSvkF9HGEKroqItwEUicPPi5Gf7fw/69OYW3w/kIzD3pS3wHnSxq
DMiwsriGIU2o57ryMpZzY7ORsXjWzykdnIaS9tD6f+6eDH1PTukxWTiZokbTS1gx
PgA8irtc8uvLDpaDK1F1bu505Z+wjUGQnuLMt7dw/CJUy1wMNiC2+gWUSXW2Roig
bYA+M/q4TH/HPC/j0iyncmqjRKNpWPiB1kvU/adFZHMA61CsO2xOyXEZCi8ptfal
E8Rbb9BVte7gjrFbRt/0fYWdKNSI9BTDaW894sMQ1wbhmxClsqzu/uzEvA6jBIlr
2vCKB65H
-----END CERTIFICATE-----

For automation, you can also use wget or curl to get the certificate string directly.

2. MOB/vSphere APIs
You can also use MOB to retrieve the information as well. The URL is like the following. You will need username and password too.

https://192.168.8.25/mob/?moid=ha%2dhost&doPath=config

The problem is that the certificate is displayed as decimal value for each byte. It’s not easy for automation. To get the byte array, you want to use the vSphere API for the following property defined in HostSystem managed object type:

config.certificate

With the certificate, you can geneate the thumbprint either through command line like keytool, or programming. Check out this Q&A at stackoverflow.

3. OpenSSL via SSH

You can also connect directly to an ESXi and use openssl command to geneate the thumbprint directly as follows. The /etc/vmware/ssl/rui.crt contains exactly the same content as you get from approach one.

~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint
SHA1 Fingerprint=5B:B1:4C:1F:5A:F2:41:4A:89:82:99:42:21:4C:A4:55:84:04:48:5A

You need to copy/paste the string after the =. To display the thumbprint only, you can use cut command to process it.

~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint | cut -d '=' -f 2
5B:B1:4C:1F:5A:F2:41:4A:89:82:99:42:21:4C:A4:55:84:04:48:5A