Generate ESXi Host Certificates

By | 01/01/2015

VMware use standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server.

If you want to replace default certificates for vCenter Server and ESXi , the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.

Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.

Certificate files located on an ESXi host are

  • Private key file: /etc/vmware/ssl/rui.key
  • Certification file: /etc/vmware/ssl/rui.crt

NOTE Use commercially signed certificates for systems that are exposed to the Internet.

When you replace default server certificates in a production environment, deploy the new certificates in stages, rather than all at the same time.

You will need to generate a new certificate if the ESXi host or vCenter Server certificate gets deleted, or if you change the hostname of the system. These would be the most common reasons to generate a new SSL certificate.

The steps to generate a new ESXi host certificate are detailed here:

Step 1. Log in to the ESXi shell as the root user.

Step 2. Back up any existing certificates, just in case.

# mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.old

# mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.old

NOTE: If the rui.crt and rui.key files do not exist then you do not need to back them up; you can just go to the next step.

Step 3. Generate the new certificates:

# /sbin/generate-certificates

Step 4. Reboot the ESXi host or restart the hostd process:

# /etc/init.d/hostd/restart

Category: VMware

About Alex Hunt

Hi All I am Manish Jha. I am currently working in OVH US as Operations Support Engineer (vCloud Air Operations). I have around 7 Years of IT experience and have exposure on VMware vSphere, vCloud Director,vSphere Replication, vRealize Automation, NSX and RHEL. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.