How to Renew vSphere ESXi Self-Signed Certificates

VMware vSphere ESXi servers use self-signed SSL certificates by default. These certificates typically expire after a certain period, which can cause browser warnings, connection issues, and management problems. This guide walks you through the process of renewing these certificates.

⚠️ Important: Always back up your ESXi host configuration before making certificate changes. Schedule this maintenance during a maintenance window as services may need to be restarted.

Prerequisites

SSH access enabled on your ESXi host
Root credentials for the ESXi server
Basic knowledge of command-line operations
A maintenance window (services will restart)

Method 1: Using ESXi Command Line (Recommended)

1 Enable SSH on ESXi

Log into the ESXi web interface (HTTPS), navigate to Host → Manage → Services, and start the SSH service.

2 Connect via SSH

Connect to your ESXi host using an SSH client:

ssh root@your-esxi-host-ip

3 Backup Existing Certificates

Create a backup of the current certificates:

cd /etc/vmware/ssl cp rui.crt rui.crt.backup cp rui.key rui.key.backup

4 Generate New Certificates

Use the built-in certificate generation script:

/sbin/generate-certificates

5 Restart Management Services

Restart the hostd and vpxa services to apply the new certificates:

/etc/init.d/hostd restart /etc/init.d/vpxa restart

ℹ️ Note: The restart process typically takes 1-2 minutes. You may lose connection to the web interface temporarily.

Method 2: Manual Certificate Renewal

1 Remove Old Certificates

cd /etc/vmware/ssl rm rui.crt rm rui.key

2 Generate New Certificate and Key

openssl req -new -nodes -out rui.csr -keyout rui.key \ -config /etc/vmware/ssl/openssl.conf openssl x509 -req -days 3650 -in rui.csr \ -signkey rui.key -out rui.crt

3 Set Proper Permissions

chmod 644 rui.crt chmod 600 rui.key

4 Restart Services

/etc/init.d/hostd restart /etc/init.d/vpxa restart

Verification Steps

After renewing the certificates, verify the changes:

Clear browser cache and close all browser windows
Access the ESXi web interface using HTTPS
Check the certificate by clicking the padlock icon in your browser
Verify the issue date matches today's date
Confirm expiration date is approximately 10 years in the future

You can also check the certificate from command line:

openssl x509 -in /etc/vmware/ssl/rui.crt -text -noout | grep -E "Not Before|Not After"

Troubleshooting

Services Won't Restart

If services fail to restart, check the log files:

tail -f /var/log/hostd.log tail -f /var/log/vpxa.log

Certificate Still Shows as Expired

Try these steps:

Clear your browser's SSL certificate cache
Restart the ESXi host if services won't restart properly
Ensure the system time on the ESXi host is correct
Verify file permissions are correct (644 for .crt, 600 for .key)

vCenter Shows Host as Disconnected

If your ESXi host is managed by vCenter, you may need to reconnect it:

Log into vCenter
Right-click the ESXi host
Select Connection → Reconnect

Best Practices

Schedule regular certificate renewals before expiration (e.g., annually)
Document the process and keep records of renewal dates
Consider using CA-signed certificates for production environments
Monitor certificate expiration using automated tools
Test in a lab environment first if you're unfamiliar with the process
Disable SSH after completing maintenance for security

💡 Pro Tip: For environments managed by vCenter, consider using the vSphere Certificate Manager (available in vCenter) for centralized certificate management across all your ESXi hosts.

Conclusion

Renewing ESXi self-signed certificates is a straightforward process that helps maintain secure access to your virtualization infrastructure. By following this guide, you can quickly refresh expired certificates and ensure uninterrupted management of your ESXi hosts.

Remember to always back up your configuration before making changes and schedule this work during an appropriate maintenance window to minimize impact on your virtual environment.