You can replace the default VMCA-signed ESXi certificates from the ESXi Shell.


  • If you want to use third-party CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates on each ESXi host.
  • If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Client.
  • All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on the host.


  1. Log in to the ESXi Shell, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
  2. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands.
    mv rui.crt orig.rui.crt
    mv rui.key orig.rui.key
  3. Copy the certificates that you want to use to /etc/vmware/ssl.
  4. Rename the new certificate and key to rui.crt and rui.key.
  5. Restart the host after you install the new certificate.
    Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode.

What to do next

Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).