When you replace a certificate on an ESXi host by using the vSphere Web Services SDK, the previous certificate and key are appended to a .bak file. You can restore previous certificates by moving the information in the .bak file to the current certificate and key files.

The host certificate and key are located in /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. When you replace a host certificate and key by using the vSphere Web Services SDK vim.CertificateManager managed object, the previous key and certificate are appended to the file /etc/vmware/ssl/rui.bak.

Note: If you replace the certificate by using HTTP PUT, vifs, or from the ESXi Shell, the existing certificates are not appended to the .bak file.


  1. On the ESXi host, locate the file /etc/vmware/ssl/rui.bak.
    The file has the following format.
    # Host private key and certificate backup from 2014-06-20 08:02:49.961
    -----BEGIN PRIVATE KEY-----
    previous key
    -----END PRIVATE KEY-----
    previous cert
    -----END CERTIFICATE-----
  2. Copy the text starting with -----BEGIN PRIVATE KEY----- and ending with -----END PRIVATE KEY----- into the /etc/vmware/ssl/rui.key file.
    Include -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.
  3. Copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into the /etc/vmware/ssl/rui.crt file.
    Include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  4. Restart the ESXi host.
    Alternatively, you can put the host into maintenance mode and use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode.