VMware use standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server.
If you want to replace default certificates for vCenter Server and ESXi , the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.
Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.
Certificate files located on an ESXi host are
- Private key file: /etc/vmware/ssl/rui.key
- Certification file: /etc/vmware/ssl/rui.crt
NOTE Use commercially signed certificates for systems that are exposed to the Internet.
When you replace default server certificates in a production environment, deploy the new certificates in stages, rather than all at the same time.
You will need to generate a new certificate if the ESXi host or vCenter Server certificate gets deleted, or if you change the hostname of the system. These would be the most common reasons to generate a new SSL certificate.
The steps to generate a new ESXi host certificate are detailed here:
Step 1. Log in to the ESXi shell as the root user.
Step 2. Back up any existing certificates, just in case.
# mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.old
# mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.old
NOTE: If the rui.crt and rui.key files do not exist then you do not need to back them up; you can just go to the next step.
Step 3. Generate the new certificates:
# /sbin/generate-certificates
Step 4. Reboot the ESXi host or restart the hostd process:
# /etc/init.d/hostd/restart
This is the simplest way to generate a new self-sign certificate on an ESXi host. Everyone should ignore all other 12-page posts about doing this through Powershell on Windows and just do it this way. THANKS!