When you replace a certificate on an ESXi host by using the vSphere Web Services SDK, the previous certificate and key are appended to a .bak file. You can restore previous certificates by moving the information in the .bak file to the current certificate and key files.
The host certificate and key are located in /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. When you replace a host certificate and key by using the vSphere Web Services SDK vim.CertificateManager managed object, the previous key and certificate are appended to the file /etc/vmware/ssl/rui.bak.
Note: If you replace the certificate by using HTTP PUT,
vifs, or from the
ESXi Shell, the existing certificates are not appended to the
.bak file.
Procedure
- On the ESXi host, locate the file /etc/vmware/ssl/rui.bak.
The file has the following format.
#
# Host private key and certificate backup from 2014-06-20 08:02:49.961
#
-----BEGIN PRIVATE KEY-----
previous key
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
previous cert
-----END CERTIFICATE-----
- Copy the text starting with
-----BEGIN PRIVATE KEY-----
and ending with -----END PRIVATE KEY-----
into the /etc/vmware/ssl/rui.key file.
Include
-----BEGIN PRIVATE KEY-----
and
-----END PRIVATE KEY-----
.
- Copy the text between
-----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
into the /etc/vmware/ssl/rui.crt file.
Include
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
.
- Restart the host or send ssl_reset events to all services that use the keys.
for s in /etc/init.d/*; do $s | grep ssl_reset > /dev/null; if [ $? == 0 ]; then $s ssl_reset; fi; done