How To Install And Configure The CA Signed Certificate On ESXi Host?

How to Install and Configure the CA Signed Certificate on ESXi Host?

After generating the custom CA “Signed certificate” as mentioned in our previous blog, you need to install and configure the signed certificate on ESXi Host.

After the generation of the certificate, you need to login to vCenter Server.

Initially, you need to put the host into Maintenance Mode.

Note: If the ESXi 6.0 connects to VC 6.0 after replacing its cert with this KB, the host certs would be replaced by VMCA signed certs. Firstly, VC 6.0 needs to switch to custom certificate mode. For more information, see Understanding Certificate Mode Switches.

In order to set certificate mode in vCenter web client, you need to select the vCenter server that manages the hosts and click on Settings. Click on the advancement settings, and edit it.

In the filter box, enter the certmgmt to display the certificate management keys.

You can also change the value of vpxd.certmgmt.mode to custom if you intend to manage your own certificates, and to thumbprint if you temporarily want to use thumbprint mode, and then click OK button.

Once you have done VMCA mode, then you can click on “OKAY” button and restart the vCenter server.

Instaling CA Certificate on ESXi Host

Please confirm that the ESXi Host should in the maintenance mode on which you need to install the CA-signed certificate.

Now, you need to make a connection.

Now connect the FTP Filezilla or WINSCP.

You have to upload the new “rui.crt” as well as “rui.key” file to (/etc/vmware/ssl).


You need to navigate to “/etc/vmware/ssl” directory and copy SSL files to a backup location.

Now, you need to delete the existing “rui.crt” and “rui.key” from the directory (/etc/vmware/ssl).

You need to make the permissions of Rui.cert 644 and Rui.key 400.

After completing the previous task, you need to reboot the ESXi host. It may take it down for 2 minutes once the host is up and check the status of URL in the browser which should be green in color.

Once the CA is installed, you need to exit the maintenance mode in the ESXi Host.