VMware uses standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server.

If you want to replace default certificates for vCenter Server and ESXi, the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.

Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.

Certificate files located on an ESXi host are

• Private key file: /etc/vmware/ssl/rui.key
• Certification file: /etc/vmware/ssl/rui.crt

NOTE: Use commercially signed certificates for systems that are exposed to the Internet.

When you replace default server certificates in a production environment, deploy the new certificates in stages, rather than replacing all at once.

You will need to generate a new certificate if the ESXi host or vCenter Server certificate gets deleted, or if you change the hostname of the system. These would be the most common reasons to generate a new SSL certificate.

The steps to generate a new ESXi host certificate are detailed here:

Step 1. Log in to the ESXi shell as the root user.

Step 2. Back up any existing certificates, just in case.

NOTE: If the rui.crt and rui.key files do not exist, then you do not need to back them up; you can proceed to the next step.

Step 3. Generate the new certificates:

Step 4: Reboot the ESXi host or restart the hostd process.