WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Extracting SSL Thumbprint from ESXi

Extracting SSL Thumbprint from ESXi

04.15.2012 by William Lam // 13 Comments

While browsing the VMTN forums earlier this week, I noticed an interesting request from a user who was trying to compile an inventory of the SHA1 Thumbprints for all his ESXi hosts. The challenge the user had, was that he was capturing this information manually by "looking" at the DCUI screen which is where the SHA1 Thumbprint for an ESXi host is displayed by default.

As you might have guessed, this can be very tedious and error prone by copying down this very long string by just looking at the screen. Even if you do not make a mistake copying this long string, I bet your eyes will eventually give out. Luckily, there are a few ways to retrieve this information and I will show you some methods to help automate this across all of your ESXi hosts.

UPDATE (05/22/16) - Here's how you can extract SSL Thumbprint using PowerShell

Option 1 - Retrieve SSL Thumbprint using the DCUI as shown above, this is going to be the most manual method.

Option 2 - If you have remote SSH or direct console access to ESXi Shell, you can login to your ESXi host and using openssl utility, you can retrieve the SSL Thumbprint which you can then use or copy off to a remote host.

openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha1 -noout

Option 3 - You can remotely retrieve the SSL Thumbprint by leveraging just the openssl utility and you do not even need to login to the ESXi host. This not only allows you to retrieve the SSL Thumbprint from a centralized location, but you can easily automate this across all your hosts.

echo -n | openssl s_client -connect 172.30.0.252:443 2>/dev/null | openssl x509 -noout -fingerprint -sha1

Using Option 3, you can easily wrap this in a simple "for" loop to iterate through all your ESXi hosts as long as you have either the hostname/IP Address. Here is a simple shell script that you can use to iterate through all your ESXi hosts to extract the SSL Thumbprint.

In the script above, I have a list of three ESXi hosts and it is simply going through each host and executing the two commands to extract the SSL Thumbprint and displaying it on the screen.

Option 4 - You can also retrieve the SSL Thumbprint using the vSphere API, but the property is only displayed when it is connected to a vCenter Server. There is a property on the ESXi host called sslThumbprint that is populated when querying against the vCenter Server that is managing the ESXi host. You can use the vSphere Health Check script which captures this and other useful information about your vSphere infrastructure.

As you can see, there are several options on obtaining the SSL Thumbprint for an ESXi host, you definitely do not have to manually read it off the DCUI screen. Automation FTW again! 🙂

More from my site

  • PowerShell for PhotonOS on Raspberry Pi 3
  • How to retrieve the CSP Refresh Token expiry using the CSP API
  • Managing Distributed Firewall Rules in VMC using PowerShell & NSX-T Policy API
  • Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?
  • Workaround to deploy vSphere Integrated Containers 1.1 OVA using PowerCLI (SHA256 not supported)

Categories // Automation, ESXi Tags // ESXi 4.1, ESXi 5.0, PowerCLI, powershell, sha1, ssl certificate, thumbprint

Comments

  1. *protectedMike Lamb says

    07/08/2014 at 10:28 pm

    Where is the SSL thumbprint for the vCenter in the vSphere API?

    Reply
    • *protectedDamir says

      03/25/2015 at 8:40 am

      I found it but the value is Unset even though my ESXi is connected to the vCenter. There is a certificate though that is set as a byte array.

      Reply
    • *protectedbhuvana says

      07/27/2016 at 3:47 am

      I have the same question.Is it possible to get the thumbprint of Vcenter using Vsphere API?

      Reply
      • William Lam says

        07/27/2016 at 5:20 am

        No, not afaik

        Reply
        • *protectedbhuvana says

          07/27/2016 at 5:31 am

          Thank you .

          Reply
  2. *protectedAnon says

    04/03/2015 at 1:10 pm

    Hello, I wanted to know, are the certificates on an ESXI server self signed or is there an actual CA that creates and confirm them. Also is SSL used on a Vsphere console session to encrypt the data?

    Reply
  3. *protectedintellisent says

    07/22/2016 at 2:51 am

    How I can do get SSL Thumbprint info using powershell for my all ESXi Host in vCenter.
    Thanks

    Reply
    • William Lam says

      07/22/2016 at 6:15 am

      Have a look here https://gist.github.com/lamw/988e4599c0f88d9fc25c9f2af8b72c92

      Reply
  4. *protectedAbul Ahmed says

    08/17/2021 at 4:57 am

    by the look of it, seems it's the same certificate as the web UI of the esxi host. if that's correct, then you could also collect the thumbprint from browser.
    I have written a powershell script and a python script to query the ip/url on port 443 and get an string object in return with all the certificate details. Originally I wrote the script to monitor web certificates expiry date.

    Reply

Trackbacks

  1. Aynı SSO’da Olmayan VCenter’larda Migration Nasıl Yapılır? | VMware Virtualization Blog says:
    03/08/2016 at 11:47 pm

    […] SSL Thumbprint (SHA1) of the destination vCenter Server (can be retrieved using either this or […]

    Reply
  2. Did you know of an additional cool vMotion capability in vSphere 6.0? | virtuallyGhetto says:
    05/25/2016 at 8:15 pm

    […] SSL Thumbprint (SHA1) of the destination vCenter Server (can be retrieved using either this or […]

    Reply
  3. Getting started with VMware Cloud Foundation (VCF) - CormacHogan.com says:
    01/10/2020 at 6:01 am

    […] of each ESXi host, it is a PITA to go around to each console to retrieve this info. My good pal William has details on how to get the SSL thumbprint on his site here, but what about the SSH […]

    Reply
  4. VMware Cloud Foundation(VCF)入门 – VirtualVMW says:
    04/18/2020 at 1:52 am

    […] 填写参数表时,要求您同时提供SSH指纹和SSL指纹。尽管此信息在每个ESXi主机的DCUI中都可用,但它是一个PITA,可在每个控制台中转至以检索此信息。William在此处提供了有关如何在其网站上获取SSL指纹的详细信息,但是SSH指纹又如何呢? […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025