ContentsPrint

Generating new self-signed certificates for the ESXi host

About this task

Generate new certificates only if you change the host name or accidentally delete the certificate. Under certain circumstances, you must force the host to generate new certificates.

To receive the full benefit of certificate checking, particularly if you want to use encrypted remote connections externally, do not use a self-signed certificate. Instead, install new certificates that are signed by a valid internal certificate authority or purchase a certificate from a trusted security authority.

Before you begin

Start an SSH session on the ESXi host.

Procedure

  1. Log in to the ESXi host as an admin user.
  2. To create a backup of any existing certificates, in the /etc/vmware/ssl directory, rename the certificates by using the following commands:
    mv rui.crt orig.rui.crt
    mv rui.key orig.rui.key
    noteNote

    Do not perform the step if you are regenerating certificates because you deleted the certificates.

  3. To generate new certificates, type /sbin/generate-certificates.
  4. Restart the ESXi host.

    The generation process places the certificates places in the correct location.

  5. (Optional) Do the following:
    1. Move the ESXi host to the maintenance mode.
    2. Install the new certificate.
    3. Restart management agents from Direct Console User Interface (DCUI).
  6. Do the following to confirm that the host successfully generated new certificates:
    1. Type ls -la.
    2. Compare the time stamps of the new certificate files with orig.rui.crt and orig.rui.key.

Next Steps

Replace the self-signed certificate and the key with a trusted certificate and key.