Three Ways to Get Certificate and Thumbprint from ESXi

By Steve Jin | Published: January 2, 2014

Happy New Year 2014!

When adding a new ESXi host to vCenter server via vSphere API, you can supply the certificate thumbprint of the ESXi server expected to have. Before calling the vSphere API, you can get the thumbprint directly or indirectly from the ESXi server to be added. Here are three different ways to do that. The first two approaches retrieve SSL certificate with which you can generate thumbprint.

Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.

“Unable to verify the authenticity of the specified host. The SHA1 thumbprint of the cerificate is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Do you wish to proceed with connecting anyway? Choose “Yes” if you trust the host. The above information will be remembered until the host is removed from the inventory. Choose “No” to abort connecting to the host at this time.”

1. Direct URL
If you issue the following URL in a browser, you would get a prompt for username and password. Once it’s authenticated, the full certiciate will be shown in the browser body.

https://192.168.8.25/host/ssl_cert
-----BEGIN CERTIFICATE-----
MIID8jCCAtqgAwIBAgIHALx+O+KA/jANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQK
ExBWTXdhcmUgSW5zdGFsbGVyMB4XDTEyMTIxNjEzMjgwOFoXDTI0MDYxNjEzMjgw
OFowgfoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH
EwlQYWxvIEFsdG8xFDASBgNVBAoTC1ZNd2FyZSwgSW5jMS4wLAYDVQQLEyVWTXdh
cmUgRVNYIFNlcnZlciBEZWZhdWx0IENlcnRpZmljYXRlMSowKAYJKoZIhvcNAQkB
Fhtzc2wtY2VydGlmaWNhdGVzQHZtd2FyZS5jb20xHjAcBgNVBAMTFWxvY2FsaG9z
dC5sb2NhbGRvbWFpbjEwMC4GCSqGSIb3DQEJAhMhMTM1NTY2NDQ4Nyw1NjRkNzc2
MTcyNjUyMDQ5NmU2MzJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rmNz9aCUwHy9+LbqLhx4naNtTzmkkKilhLG65IzLdj4FPjorBxi9/iAQ6O/XNxT6
TLFSh8kEhZ/ZwDHQuLVHMEy/IpaB6i7rIO+CjUkWqhqBpkDdIz4V4RAWE/RksIbD
R//Ow9XHt93hZPaQtAxLVP8SqE+RR/zPbKBx6QVuFPyxZzk2sEGVHyJwD8J2i6t8
ZFIv38KwRLGSE0/7QW+DKgDXKdG6VSHkMAVyktZSSZc5bdB2AutWHtuaS+48cnsm
SohETHa/XzLaMpvYMs7ccWUN9utKJTZAy3cMiWrFipcKgOQd5WgZ2gCgZEOTJnZv
EYbFXTD/Ef+0iViGgWYB6wIDAQABo1swWTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
sDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVbG9j
YWxob3N0LmxvY2FsZG9tYWluMA0GCSqGSIb3DQEBBQUAA4IBAQBZhI3nusvZiWpL
H/wYfk2+anT/ZSvkF9HGEKroqItwEUicPPi5Gf7fw/69OYW3w/kIzD3pS3wHnSxq
DMiwsriGIU2o57ryMpZzY7ORsXjWzykdnIaS9tD6f+6eDH1PTukxWTiZokbTS1gx
PgA8irtc8uvLDpaDK1F1bu505Z+wjUGQnuLMt7dw/CJUy1wMNiC2+gWUSXW2Roig
bYA+M/q4TH/HPC/j0iyncmqjRKNpWPiB1kvU/adFZHMA61CsO2xOyXEZCi8ptfal
E8Rbb9BVte7gjrFbRt/0fYWdKNSI9BTDaW894sMQ1wbhmxClsqzu/uzEvA6jBIlr
2vCKB65H
-----END CERTIFICATE-----

For automation, you can also use wget or curl to get the certificate string directly.

2. MOB/vSphere APIs
You can also use MOB to retrieve the information as well. The URL is like the following. You will need username and password too.

https://192.168.8.25/mob/?moid=ha%2dhost&doPath=config

The problem is that the certificate is displayed as decimal value for each byte. It’s not easy for automation. To get the byte array, you want to use the vSphere API for the following property defined in HostSystem managed object type:

config.certificate

With the certificate, you can geneate the thumbprint either through command line like keytool, or programming. Check out this Q&A at stackoverflow.

3. OpenSSL via SSH

You can also connect directly to an ESXi and use openssl command to geneate the thumbprint directly as follows. The /etc/vmware/ssl/rui.crt contains exactly the same content as you get from approach one.

~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint
SHA1 Fingerprint=5B:B1:4C:1F:5A:F2:41:4A:89:82:99:42:21:4C:A4:55:84:04:48:5A

You need to copy/paste the string after the =. To display the thumbprint only, you can use cut command to process it.

~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint | cut -d '=' -f 2
5B:B1:4C:1F:5A:F2:41:4A:89:82:99:42:21:4C:A4:55:84:04:48:5A
This entry was posted in Uncategorized and tagged , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

One Comment

  1. Hao
    Posted May 19, 2014 at 9:11 pm | Permalink

    Steve,

    Is there a way from VI Java API to get the thumbprint , I found always failed to add a host into VC without a thumbprint using vi java api

    thanks,
    -Hao

One Trackback

  • By Newsletter: January 18, 2014 | Notes from MWhite on January 20, 2014 at 9:05 am

    […] to actually do it right, and confirm the info is correct you can.  The info to do that is found here.  I think that this is not as important for most of us as it is for some of […]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • NEED HELP?


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__ doublecloud.org.

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.