Your company's security policy might require that you replace the default ESXi SSL certificate with a trusted certificate on each host. You can also regenerate a self-signed certificate and key if the default certificate and key were accidentally deleted.

SSL certificates are used to vouch for the identity of the components involved in the communication and to secure communication between vSphere components.

By default, vSphere components use the self-signed certificate and key that are created during installation. Self-signed certificates are as secure as certificates that are issued by an external Certificate Authority as long as the user validates the certificate and its thumbprint when the warning dialog appears.

Replace self-signed certificates with certificates from a trusted CA, either a commercial CA or an organizational CA, if company policy requires it. Consider also replacing certificates to avoid having users get used to clicking through browser warnings. The warning might be an indication of a man-in-the-middle attack, and only inspection of the certificate and thumbprint can guard against such attacks.

You can replace the default certificates with trusted certificates in a number of ways.

If you accidentally deleted the default self-signed certificate and key or you changed the host name, you can generate a new self-signed certificate and key from the ESXi Shell. See Generate New Self-Signed Certificates for ESXi.