A default certificate is generated automatically for the ESXi host during installation. Because the certificate for the ESXi host was self-generated, it has not been signed and will not be given a trusted status when attempting to communicate with other servers and clients. Other network devices might not allow communication with the ESXi host until it is certified by a well-known CA. X.509 certificates are supported over SSL connections for the encrypted session.

NOTE: When replacing the default certificate of the ESXi host, if the vCenter Server stops managing the host, check whether the ESXi host has Verify Certificates enabled. If this is the case, reconnect the ESXi host to the vCenter Server using the vSphere Client.

The steps to add a CA-signed certificate are as follows:

Step 1. Log in to the ESXi host over SSH using Putty.

Step 2. Change the directories to /etc/vmware/ssl, and backup the certificate files:

# mv rui.crt… Read More

VMware use standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server.

If you want to replace default certificates for vCenter Server and ESXi , the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.

Certificates signed by a commercial certificate authority, such as Entrust or VeriSign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance.

Certificate files located on an ESXi host are

• Private key file: /etc/vmware/ssl/rui.key

… Read More