ESXi uses automatically generated certificates that are created as part of the installation process. These certificates are unique and make it possible to begin using the server, but they are not verifiable and they are not signed by a trusted certificate authority (CA).
About this task
Using default certificates might not comply with the security policy of your organization. If you require a certificate from a trusted certificate authority, you can replace the default certificate.
If the host has Verify Certificates enabled, replacing the default certificate might cause vCenter Server to stop managing the host. Disconnect and reconnect the host if vCenter Server cannot verify the new certificate.
ESXi supports only X.509 certificates to encrypt session information sent over SSL connections between server and client components.
All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege ESXi privileges, see the vSphere Single Host Management publication.on the host. For more information on
- Back up the existing certificates.
- Generate a certificate request following the instructions from the certificate authority.
- At the command line, use the vifs command to upload the certificate to the appropriate location on the host.
vifs --server hostname --username username --put rui.crt /host/ssl_cert
vifs --server hostname --username username --put rui.key /host/ssl_key
- Restart the host.
Alternatively, you can put the host into maintenance mode, install the new certificate, and then use the Direct Console User Interface (DCUI) to restart the management agents.