You can use third-party applications to upload certificates and key. Applications that support HTTPS PUT operations work with the HTTPS interface that is included with ESXi.


  • If you want to use third-party CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates on each ESXi host.
  • If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Client.
  • All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on the host.


  1. Back up the existing certificates.
  2. Set up basic access authentication, in which you supply a Base64 encoded username and password, separated with a single colon (:). For more information, see
  3. In your upload application, process each file as follows:
    1. Open the file.
    2. Publish the file to one of these locations.
      Option Description
      Certificates https://hostname/host/ssl_cert
      Keys https://hostname/host/ssl_key
    The /host/ssl_cert and the host/ssl_key locations link to the certificate files in /etc/vmware/ssl.
  4. Restart the host.
    Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode.

What to do next

Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).