You typically generate new certificates only if you change the host name or accidentally delete the certificate. Under certain circumstances, you must force the host to generate new certificates.

Note: To receive the full benefit of certificate checking, particularly if you intend to use encrypted remote connections externally, do not use a self signed certificate. Instead, install new certificates that are signed by a valid internal certificate authority or purchase a certificate from a trusted security authority.


  1. Log in to the ESXi Shell as a user with administrator privileges.
  2. In the directory /etc/vmware/ssl, back up any existing certificates by renaming them using the following commands.
    mv rui.crt orig.rui.crt
    mv rui.key orig.rui.key
    Note: If you are regenerating certificates because you have deleted them, this step is unnecessary.
  3. Run the command /sbin/generate-certificates to generate new certificates.
  4. Restart the host.
    Generating the certificates places them in the correct location. You can alternatively put the host into maintenance mode, install the new certificate, and then use the Direct Console User Interface (DCUI) to restart the management agents.
  5. Confirm that the host successfully generated new certificates by using the following command and comparing the time stamps of the new certificate files with orig.rui.crt and orig.rui.key.
    ls -la

What to do next

Consider replacing the self-signed certificate and key with a trusted certificate and key.