In my earlier article I shown how to Generate new self-signed certificates for ESXi using OpenSSL. Importing this certificate in local certificates store is good for single computer or 2-3 systems, but may be tedious task if you want to maintain it on more than 10 systems, think what happens if they are 50 systems, you want to add/remove/edit them later, using scripts is easier but instead there should be proper automated way. for this purpose I am using group policy which is available to me, configure once and forget, Easier for edit or remove later. I have my CRT file ready from earlier article and using same to upload. Go to cortana search and type Group Policy Management to lunch it. On this mmc snap in expand and follow the path Forest: Domain.com >> Domains >> Left click on Group Policy Objects. Click New from context menu, in the New GPO give it some new meaningful name and click OK.
Once new GPO is listed, right click it and click Edit. This opens Group Policy Management Editor.
Expand and select Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Public Key Policies >> Right click Trusted Root Certification Authorities and click Import, On the Welcome to the Certificate Import Wizard click next to proceed.
Next select the earlier created rui.crt file from previous article, click next, Certificate store is by default selected to Trusted Root Certificate Authorities, click next and in the last complete wizard by pressing finish.
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
Managing ESXi SSL certificate properties from vCenter server
If all is good, It shows friendly message The import was successful and new certificate will be visible for deployment. Close Group Policy Management Editor.
On the newly created GPO (group policy objects), go to settings tab, certificate info should be visible after refreshing page.
New GPO is created, Next step is to link gpo either domain, OU (organization unit) or site. I want to apply it to entire domain here, select domain name and right click to Link an Existing GPO. Select the earlier created policy from list and click ok.
Policy is linked, review the both policies, On the linked one policy on domain there will be a shortcut icon. It will take around 90 minutes to pull settings by client computer and reflect the change.
To expedite and test setting immediately, pickup member computer which is domain joined and execute command gpupdate /force, before updating settings open certificate MMC, certificate will not be visible under Trusted Root Certification Authorities >> certificates. once you execute the gpupdate /force settings refreshes, review that cert should be visible.
Useful Articles
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices
Configure SNMP on ESXi Server GUI :Vmware Best Practices
