When you replace a certificate on an ESXi host by using the vSphere Web Services SDK, the previous certificate and key are appended to a .bak file. You can restore previous certificates by moving the information in the .bak file to the current certificate and key files.
The host certificate and key are located in /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. When you replace a host certificate and key by using the vSphere Web Services SDK vim.CertificateManager managed object, the previous key and certificate are appended to the file /etc/vmware/ssl/rui.bak.
If you replace the certificate by using HTTP PUT, vifs, or from the ESXi Shell, the existing certificates are not appended to the .bak file.
- On the ESXi host, locate the file /etc/vmware/ssl/rui.bak.
The file has the following format.
# # Host private key and certificate backup from 2014-06-20 08:02:49.961 # -----BEGIN PRIVATE KEY----- previous key -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- previous cert -----END CERTIFICATE-----
- Copy the text starting with
-----BEGIN PRIVATE KEY-----and ending with
-----END PRIVATE KEY-----into the /etc/vmware/ssl/rui.key file.
-----BEGIN PRIVATE KEY-----and
-----END PRIVATE KEY-----.
- Copy the text between
-----END CERTIFICATE-----into the /etc/vmware/ssl/rui.crt file.
- Restart the host or send ssl_reset events to all services that use the keys.
for s in /etc/init.d/*; do $s | grep ssl_reset > /dev/null; if [ $? == 0 ]; then $s ssl_reset; fi; done