VCF 4.2 On VxRail - Validate Thumbprints

In order to prevent the opportunity of a Man In The Middle (MiTM) attack VMware have introduced a security feature which validates the SSH RSA fingerprint and SSL thumbprint of both vCenter Server and VxRail Manager along with the SSH fingerprints of the ESXi hosts during initial deployments.


This feature can be enabled/disabled from within the VCF On VxRail Deployment Parameter Workbook:

How To Gather The Prints

The instructions below will showcase how to collect the prints and how to enter them in the VCF On VxRail Deployment Parameter Workbook. As a result; Cloud Builder can later verify these keys when deploying VCF. Begin by launching an SSH connection to the Cloud Builder appliance using the ‘Admin’ credentials:



Working through the parameter workbook list I firstly gather the VxRail Manager prints (FQDN in this example is vcfmgmtvxrmgr.cse.lab ):

  • ssh-keygen -lf <(ssh-keyscan vcfmgmtvxrmgr.cse.lab 2>/dev/null)

  • openssl s_client -connect vcfmgmtvxrmgr.cse.lab:443 < /dev/null 2> /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin


vCenter prints (FQDN in this example is vcfmgmtvc.cse.lab):

  • ssh-keygen -lf <(ssh-keyscan vcfmgmtvc.cse.lab 2>/dev/null)

  • openssl s_client -connect vcfmgmtvc.cse.lab:443 < /dev/null 2> /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin


ESXi Hosts SSH Fingerprints (Ensure the SSH Service has been started on each ESXi host):

  • ssh-keygen -lf <(ssh-keyscan vcfesxi01.cse.lab 2>/dev/null)

  • ssh-keygen -lf <(ssh-keyscan vcfesxi02.cse.lab 2>/dev/null)

  • ssh-keygen -lf <(ssh-keyscan vcfesxi03.cse.lab 2>/dev/null)

  • ssh-keygen -lf <(ssh-keyscan vcfesxi04.cse.lab 2>/dev/null)


Populating the VCF On VxRail Deployment Parameter Workbook with the respective prints:


35 views0 comments

Recent Posts

See All