ESXi uses automatically generated certificates that are created as part of the installation process. These certificates are unique and make it possible to begin using the server, but they are not verifiable and they are not signed by a trusted certificate authority (CA). This topic explains how to replace the default certificates with self-signed or CA-signed certificates.

About this task

Using default certificates might not comply with the security policy of your organization. If you require a certificate from a trusted certificate authority, you can replace the default certificate.


If the host has Verify Certificates enabled, replacing the default certificate might cause vCenter Server to stop managing the host. Disconnect and reconnect the host if vCenter Server cannot verify the new certificate.

ESXi supports only X.509 certificates to encrypt session information sent over SSL connections between server and client components.


  • If you want to use CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates you receive in a location that the host can access.

  • If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Web Client. See Use the vSphere Web Client to Enable Access to the ESXi Shell.

  • All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege Host > Config > AdvancedConfig on the host. For more information on ESXi privileges, see the vSphere Single Host Management publication.


  1. Log in to the ESXi Shell, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
  2. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands.

    mv rui.crt orig.rui.crt
    mv rui.key orig.rui.key

  3. Copy the certificates you want to use to /etc/vmware/ssl.
  4. Rename the new certificate and key to rui.crt and rui.key.
  5. Restart the host after you install the new certificate.

    Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode.