Thursday, August 1, 2024

Automatic Updating ESXi Certificates

This is mostly a note to myself.

Venafi TPP can copy certificate files via SSH by using SCP. 

Look like ESXi supports this:

  • I've always WinSCP'd into the host then gone to /etc/vmware/ssl/ rename and transfer the certificate as 'rui.crt' and rename and transfer the private key as 'rui.key' then go to the ESXi console, go to troubleshoot, and restart management agents. Your ESXi host should now be using the new certificates.
  • https://www.reddit.com/r/vmware/comments/yenv8d/replace_esxi_host_ssl_with_internal_ca_with/ 

Other:

  • https://knowledge.broadcom.com/external/article?legacyId=56441 
  • https://www.filecloud.com/blog/2022/06/installing-an-ssl-certificate-on-an-esxi-server/
  • https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-B70177EE-9C62-4BB9-BD3C-4848C128E63A.html
  • https://www.starwindsoftware.com/blog/how-to-replace-your-default-esxi-ssl-certificate-with-a-self-signed-certificate/
  • https://docs.vmware.com/en/VMware-Cloud-Foundation/4.5/vcf-admin/GUID-91824B56-91F3-44FE-B67B-180A50B94717.html#GUID-91824B56-91F3-44FE-B67B-180A50B94717

 

Thursday, June 20, 2024

Determine Local SID via PowerShell

I recently needed to verify that SYSPREP had been run on a few servers. You can download a utility PSGETSID to do this, but I didn't want to introduce an external utility to the servers.

I found the following PowerShell code to get the SID of the local Administrator account.

$u = New-Object System.Security.Principal.NTAccount('administrator')
$SID = $u.Translate([System.Security.Principal.SecurityIdentifier])
$sid.Value

This returns a SID with -500 on the end. If you ignore the -500, the SID is the SID of the local machine. If this is unique, you know that SYSPREP was used.

You can also look for the CloneTag value in HKLM:\SYSTEM\Setup. This contains the time when SYSPREP was run. However, I prefer to see the unique SID.


More info about using SYSPREP: