Replacing the VMware Default Certificate

Note The self-signed or CA-signed certificate must be generated using the fully qualified domain name as the hostname for the ESXi server.

By default, a VMware certificate uses localhost.localdomain as the hostname for the ESXi server.

To replace the VMware default certificate with a certificate that is generated using the hostname of the ESXi server, follow these example steps on the ESXi server:

Note This example describes the steps to be followed on ESX5.1 and EXS5.5 servers. For the latest information, see the VMware documentation that describes how to replace the VMware default certificate.

  1. Make sure the /etc/hosts file has the following format for resolving the host:

    #/etc/hosts

    127.0.0.1 localhost.localdomain localhost

    ::1 localhost.localdomain localhost

    10.78.xx.xxx hostname.domain.com hostname

  2. Make sure SSH is enabled on the ESXi server.

  3. Log in to the ESXi Shell as a user with administrator privileges.

  4. Navigate to following directory:

    /etc/vmware/ssl

  5. Back up any existing certificates by renaming them using the following commands:

    mv rui.crt orig.rui.crt

    mv rui.key orig.rui.key

  6. To generate new certificates, run the following command:

    /sbin/generate-certificates

  7. Restart the host.

  8. Confirm the host successfully generated new certificates:

    1. Use the following command to list the certificates:

      ls -la

    2. Compare the time stamps of the new certificate files with orig.rui.crt and orig.rui.key. if the original files are available.