Security

Quick Tip - Custom JSON for Deploying VMware Cloud Foundation (VCF) with Custom TLS Certificates

09.23.2025 by William Lam // Leave a Comment

ESXi hosts deployed with a custom CA signed TLS certificate can be consumed by either VMware Cloud Foundation (VCF) 5.x Cloud Builder or 9.x VCF Installer using a custom JSON deployment manifest.

An additional securitySpec should be appended to your VCF JSON deployment manifest using the following format:

"securitySpec": {
  "esxiCertsMode": "Custom",
  "rootCaCerts": [
    {
      "alias": "custom-CA",
      "certChain": [
        "-----BEGIN CERTIFICATE-----\nMIIDqzC...\n...\n...==\n-----END CERTIFICATE-----"
      ]
    }
  ]
}

[Read more...]

Recovering ESXi 7.x & 8.x host after forgetting or losing root password

10.23.2024 by William Lam // 14 Comments

The general guidance and quickest way to recover an ESXi host if you have forgotten or lost the root password is to reset using vSphere Host Profiles if it was managed by vCenter Server or simply reinstall ESXi which would allow you to preserve the existing VMFS volumes along with any workloads that may reside on them.

In the past, it was also possible to reset the ESXi root password by booting the system into Linux and then manually updating the /etc/shadow file, which is simliar to how you could reset the password on a Linux-base system and you can find a number of blog articles outlining the details. With the introduction of the ESXi Configuration Store, the previous methodology no longer works for modern ESXi releases starting from ESXi 7.0 Update 1 and later.

Having said that, I know this is still a topic that comes up frequently, especially in the context of administrators joining a brand new company where the ESXi root password has not been properly documented or an admin being asked to support a random set of standalone ESXi hosts that have no owners. Regardless of the scenario, while a reinstallation is the quickest way to recover, it certainly would be nice to be able to maintain the original configuration, especially if there is no documentation to begin with.

While there has been various snippets of information shared online (here, here and here), which includes information from myself, I figured it might be good to figure out the latest process for recovering an ESXi 7.x or 8.x host without requiring a reinstallation.

[Read more...]

Quick Tip - API for Broadcom Security Advisories

09.25.2024 by William Lam // 7 Comments

Broadcom publishes all security advisories within the Broadcom Support Portal (BSP), under Security Advisories on left hand navigation, which will take you to https://support.broadcom.com/group/ecx/security-advisory page.

You can also view specific Broadcom Division security advisories, by providing the specific Broadcom Division Segment ID, which also does not require a login to view.

Here is a table of all Broadcom Software Divisions that currently publishes security advisories:

[Read more...]