Generate ESXi Host Certificates

VMware use standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server.

If you want to replace default certificates for vCenter Server and ESXi , the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.

Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.

Certificate files located on an ESXi host are

  • Private key file: /etc/vmware/ssl/rui.key
  • Certification file: /etc/vmware/ssl/rui.crt

NOTE Use commercially signed certificates for systems that are exposed to the Internet.

When you replace default server certificates in a production environment, deploy the new certificates in stages, rather than all at the same time.

You will need to generate a new certificate if the ESXi host or vCenter Server certificate gets deleted, or if you change the hostname of the system. These would be the most common reasons to generate a new SSL certificate.

The steps to generate a new ESXi host certificate are detailed here:

Step 1. Log in to the ESXi shell as the root user.

Step 2. Back up any existing certificates, just in case.

# mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.old

# mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.old

NOTE: If the rui.crt and rui.key files do not exist then you do not need to back them up; you can just go to the next step.

Step 3. Generate the new certificates:

# /sbin/generate-certificates

Step 4. Reboot the ESXi host or restart the hostd process:

# /etc/init.d/hostd/restart