While browsing the VMTN forums earlier this week, I noticed an interesting request from a user who was trying to compile an inventory of the SHA1 Thumbprints for all his ESXi hosts. The challenge the user had, was that he was capturing this information manually by "looking" at the DCUI screen which is where the SHA1 Thumbprint for an ESXi host is displayed by default.
As you might have guessed, this can be very tedious and error prone by copying down this very long string by just looking at the screen. Even if you do not make a mistake copying this long string, I bet your eyes will eventually give out. Luckily, there are a few ways to retrieve this information and I will show you some methods to help automate this across all of your ESXi hosts.
UPDATE (05/22/16) - Here's how you can extract SSL Thumbprint using PowerShell
Option 1 - Retrieve SSL Thumbprint using the DCUI as shown above, this is going to be the most manual method.
Option 2 - If you have remote SSH or direct console access to ESXi Shell, you can login to your ESXi host and using openssl utility, you can retrieve the SSL Thumbprint which you can then use or copy off to a remote host.
openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha1 -noout
Option 3 - You can remotely retrieve the SSL Thumbprint by leveraging just the openssl utility and you do not even need to login to the ESXi host. This not only allows you to retrieve the SSL Thumbprint from a centralized location, but you can easily automate this across all your hosts.
echo -n | openssl s_client -connect 172.30.0.252:443 2>/dev/null | openssl x509 -noout -fingerprint -sha1
Using Option 3, you can easily wrap this in a simple "for" loop to iterate through all your ESXi hosts as long as you have either the hostname/IP Address. Here is a simple shell script that you can use to iterate through all your ESXi hosts to extract the SSL Thumbprint.
In the script above, I have a list of three ESXi hosts and it is simply going through each host and executing the two commands to extract the SSL Thumbprint and displaying it on the screen.
Option 4 - You can also retrieve the SSL Thumbprint using the vSphere API, but the property is only displayed when it is connected to a vCenter Server. There is a property on the ESXi host called sslThumbprint that is populated when querying against the vCenter Server that is managing the ESXi host. You can use the vSphere Health Check script which captures this and other useful information about your vSphere infrastructure.
As you can see, there are several options on obtaining the SSL Thumbprint for an ESXi host, you definitely do not have to manually read it off the DCUI screen. Automation FTW again! 🙂
Mike Lamb says
Where is the SSL thumbprint for the vCenter in the vSphere API?
Damir says
I found it but the value is Unset even though my ESXi is connected to the vCenter. There is a certificate though that is set as a byte array.
bhuvana says
I have the same question.Is it possible to get the thumbprint of Vcenter using Vsphere API?
William Lam says
No, not afaik
bhuvana says
Thank you .
Anon says
Hello, I wanted to know, are the certificates on an ESXI server self signed or is there an actual CA that creates and confirm them. Also is SSL used on a Vsphere console session to encrypt the data?
intellisent says
How I can do get SSL Thumbprint info using powershell for my all ESXi Host in vCenter.
Thanks
William Lam says
Have a look here https://gist.github.com/lamw/988e4599c0f88d9fc25c9f2af8b72c92
Abul Ahmed says
by the look of it, seems it's the same certificate as the web UI of the esxi host. if that's correct, then you could also collect the thumbprint from browser.
I have written a powershell script and a python script to query the ip/url on port 443 and get an string object in return with all the certificate details. Originally I wrote the script to monitor web certificates expiry date.