Three Ways to Get Certificate and Thumbprint from ESXi
Happy New Year 2014!
When adding a new ESXi host to vCenter server via vSphere API, you can supply the certificate thumbprint of the ESXi server expected to have. Before calling the vSphere API, you can get the thumbprint directly or indirectly from the ESXi server to be added. Here are three different ways to do that. The first two approaches retrieve SSL certificate with which you can generate thumbprint.
Time to learn how to "Google" and manage your VMware and clouds in a fast and secure
HTML5 App“Unable to verify the authenticity of the specified host. The SHA1 thumbprint of the cerificate is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Do you wish to proceed with connecting anyway? Choose “Yes” if you trust the host. The above information will be remembered until the host is removed from the inventory. Choose “No” to abort connecting to the host at this time.”
1. Direct URL
If you issue the following URL in a browser, you would get a prompt for username and password. Once it’s authenticated, the full certiciate will be shown in the browser body.
https://192.168.8.25/host/ssl_cert |
-----BEGIN CERTIFICATE----- MIID8jCCAtqgAwIBAgIHALx+O+KA/jANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQK ExBWTXdhcmUgSW5zdGFsbGVyMB4XDTEyMTIxNjEzMjgwOFoXDTI0MDYxNjEzMjgw OFowgfoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH EwlQYWxvIEFsdG8xFDASBgNVBAoTC1ZNd2FyZSwgSW5jMS4wLAYDVQQLEyVWTXdh cmUgRVNYIFNlcnZlciBEZWZhdWx0IENlcnRpZmljYXRlMSowKAYJKoZIhvcNAQkB Fhtzc2wtY2VydGlmaWNhdGVzQHZtd2FyZS5jb20xHjAcBgNVBAMTFWxvY2FsaG9z dC5sb2NhbGRvbWFpbjEwMC4GCSqGSIb3DQEJAhMhMTM1NTY2NDQ4Nyw1NjRkNzc2 MTcyNjUyMDQ5NmU2MzJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA rmNz9aCUwHy9+LbqLhx4naNtTzmkkKilhLG65IzLdj4FPjorBxi9/iAQ6O/XNxT6 TLFSh8kEhZ/ZwDHQuLVHMEy/IpaB6i7rIO+CjUkWqhqBpkDdIz4V4RAWE/RksIbD R//Ow9XHt93hZPaQtAxLVP8SqE+RR/zPbKBx6QVuFPyxZzk2sEGVHyJwD8J2i6t8 ZFIv38KwRLGSE0/7QW+DKgDXKdG6VSHkMAVyktZSSZc5bdB2AutWHtuaS+48cnsm SohETHa/XzLaMpvYMs7ccWUN9utKJTZAy3cMiWrFipcKgOQd5WgZ2gCgZEOTJnZv EYbFXTD/Ef+0iViGgWYB6wIDAQABo1swWTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE sDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVbG9j YWxob3N0LmxvY2FsZG9tYWluMA0GCSqGSIb3DQEBBQUAA4IBAQBZhI3nusvZiWpL H/wYfk2+anT/ZSvkF9HGEKroqItwEUicPPi5Gf7fw/69OYW3w/kIzD3pS3wHnSxq DMiwsriGIU2o57ryMpZzY7ORsXjWzykdnIaS9tD6f+6eDH1PTukxWTiZokbTS1gx PgA8irtc8uvLDpaDK1F1bu505Z+wjUGQnuLMt7dw/CJUy1wMNiC2+gWUSXW2Roig bYA+M/q4TH/HPC/j0iyncmqjRKNpWPiB1kvU/adFZHMA61CsO2xOyXEZCi8ptfal E8Rbb9BVte7gjrFbRt/0fYWdKNSI9BTDaW894sMQ1wbhmxClsqzu/uzEvA6jBIlr 2vCKB65H -----END CERTIFICATE----- |
For automation, you can also use wget or curl to get the certificate string directly.
2. MOB/vSphere APIs
You can also use MOB to retrieve the information as well. The URL is like the following. You will need username and password too.
https://192.168.8.25/mob/?moid=ha%2dhost&doPath=config |
The problem is that the certificate is displayed as decimal value for each byte. It’s not easy for automation. To get the byte array, you want to use the vSphere API for the following property defined in HostSystem managed object type:
config.certificate
With the certificate, you can geneate the thumbprint either through command line like keytool, or programming. Check out this Q&A at stackoverflow.
3. OpenSSL via SSH
You can also connect directly to an ESXi and use openssl command to geneate the thumbprint directly as follows. The /etc/vmware/ssl/rui.crt contains exactly the same content as you get from approach one.
~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint SHA1 Fingerprint=5B:B1:4C:1F:5A:F2:41:4A:89:82:99:42:21:4C:A4:55:84:04:48:5A |
You need to copy/paste the string after the =. To display the thumbprint only, you can use cut command to process it.
~ # openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint | cut -d '=' -f 2 5B:B1:4C:1F:5A:F2:41:4A:89:82:99:42:21:4C:A4:55:84:04:48:5A |
Steve,
Is there a way from VI Java API to get the thumbprint , I found always failed to add a host into VC without a thumbprint using vi java api
thanks,
-Hao