_______ ____ ____ __  __ ____  __   ______ ______
/_   __// __// __// /_/ // _ / / /  / __  // ____/
  / /  / __// /_ / __  // _ < / /_ / /_/ // /_  /
 /_/  /___//___//_/ /_//____//___//_____//_____/
  techblog.koponen.se

 [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ links ] [ about ]
-------------------------------------------------------------------------

  techblog.koponen.se
 
 [ / ] 
 [ howto   ] [ reviews ] [ webapps ] 
 [ youtube ] [ about   ] [ links   ] 
-------------------------------------

HOWTO
VMWARE
POST INSTALL PROCEDURES TO SECURE A VMWARE ESXI HOST

Published: 20190329

Tested on:
VMware ESXi 6.7.0 (Build 8169922)

-

If you follow the procedures in order, you wont compromise security.
In this guide we assume the hostname of your VMware ESXi host is "vmwarehost".
You also need to create an openssl key-file and crt-file, their names are assumed to be: custom.key and custom.crt

Instructions how to create your own CA and include it in your browser can be found here

1. Enable SSH

   • Login in to physical console
     • connect a monitor and keyboard
     • press "F2"
     • enter your password
     • If you're already logged in, you can backtrack from a submenu by pressing "Esc"
   • Choose "Troubleshooting Options" (arrows and enter)
   • Choose "Enable SSH" (press enter)
   • SSH is now permanently active

2. Verify the SSH fingerprint

   • Login in to physical console
     • connect a monitor and keyboard
     • press "F2"
     • enter your password
     • If you're already logged in, you can backtrack from a submenu by pressing "Esc"
   • Choose "View Support Information" (arrow keys only)
   • Write down the fingerprints

3. Change RSA key to 4096 bits

   • SSH to the machine

     • Username: root
     • Make sure to verify the SSH fingerprint

   • output and commands should look like this:

     [root@vmwarehost:~] cd /etc/ssh  
     [root@vmwarehost:/etc/ssh] /usr/lib/vmware/openssh/bin/ssh-keygen -t rsa -b 4096
     Generating public/private rsa key pair.
     Enter file in which to save the key (//.ssh/id_rsa): ssh_host_rsa_key
     ssh_host_rsa_key already exists.
     Overwrite (y/n)? y
     Enter passphrase (empty for no passphrase):
     Enter same passphrase again:
     Your identification has been saved in ssh_host_rsa_key.
     Your public key has been saved in ssh_host_rsa_key.pub.
     The key fingerprint is:
     SHA256:xxxxxxxxxxx root@vmwarehost
     The key's randomart image is:
     +---[RSA 4096]----+
     |                 |
     |                 |
     |                 |
     |                 |
     |                 |
     |                 |
     |                 |
     |                 |
     |                 |
     +----[SHA256]-----+
     [root@vmwarehost:/etc/ssh]
     

   • Done

   • Note that the machine you ssh from will need to cache the new SSH fingerprint

4. Optional - Upload your own SSH public key to use for login

   • your pub-key goes in /etc/ssh/keys-root/authorized_keys
   • do: /etc/init.d/SSH restart

5. Upload key & cert to the VMware Web UI

   • SCP custom.key and custom.crt to vmwarehost (put them in "/" (aka homedir))
   • SSH to the machine

   • output and commands should look like this:

     [root@vmwarehost:~] cd /etc/vmware/ssl/
     [root@vmwarehost:/etc/vmware/ssl] mv rui.key orig.rui.key
     [root@vmwarehost:/etc/vmware/ssl] mv rui.crt orig.rui.crt
     [root@vmwarehost:/etc/vmware/ssl] mv /custom.key rui.key
     [root@vmwarehost:/etc/vmware/ssl] mv /custom.crt rui.crt
     [root@vmwarehost:/etc/vmware/ssl] reboot
     

   • Done

   • You can now point your browser to the machine and have a proper https certificate