VMware ESXi 8
Sponsored Link

Replace Certificate2023/12/26


Replace the auto generated certificate when ESXi installed to the one you got by yourself like from Let's Encrypt.


Transfer the certificate you obtained to the ESXi host.
In this example, we will replace it with the certificate obtained with Let's Encrypt.

Be careful when using Let's Encrypt certificates.
The default key type for Let's Encrypt is currently [ECDSA], but ESXi does not support [ECDSA] server certificates, so when obtaining a certificate using the [certbot] command from Let's Encrypt, you need to add the [--key-type rsa] option to the command to obtain [RSA] certificate.

[2] Replace certificate.
# certificate you got by yourself

ll /tmp/*.pem

-rw-r--r--    1 root     root          5510 Dec 26 00:59 /tmp/fullchain.pem
-rw-------    1 root     root          1704 Dec 26 00:59 /tmp/privkey.pem

# switch system to the maintenance mode

esxcli system maintenanceMode set --enable true

esxcli system maintenanceMode get

# replace certificate

cd /etc/vmware/ssl

cp -p rui.crt rui.crt.orig

cp -p rui.key rui.key.orig

cp /tmp/fullchain.pem ./rui.crt

cp /tmp/privkey.pem ./rui.key
# restart system

esxcli system shutdown reboot --reason "Replacing Certificate"
# after restarting, unset maintenance mode

esxcli system maintenanceMode set --enable false

esxcli system maintenanceMode get

# * you can re-generate auto-generated certificate like follows


[3] Make sure the certificate warnings are not shown on VMware Host Client. (only for the case your certificate is valid one)
Matched Content