Generate ESXi Host Certificates


VMware use standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server.

If you want to replace default certificates for vCenter Server and ESXi , the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.

Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.

Certificate files located on an ESXi host are

  • Private key file: /etc/vmware/ssl/rui.key
  • Certification file: /etc/vmware/ssl/rui.crt

NOTE Use commercially signed certificates for systems that are exposed to the Internet.

When you replace default server certificates in a production environment, deploy the new certificates in stages, rather than all at the same time.

You will need to generate a new certificate if the ESXi host or vCenter Server certificate gets deleted, or if you change the hostname of the system. These would be the most common reasons to generate a new SSL certificate.

The steps to generate a new ESXi host certificate are detailed here:

Step 1. Log in to the ESXi shell as the root user.

Step 2. Back up any existing certificates, just in case.

# mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.old

# mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.old

NOTE: If the rui.crt and rui.key files do not exist then you do not need to back them up; you can just go to the next step.

Step 3. Generate the new certificates:

# /sbin/generate-certificates

Step 4. Reboot the ESXi host or restart the hostd process:

# /etc/init.d/hostd/restart

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in Vmware. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s