Here is a step-by-step walk through by Tech Support Engineer Jasbinder Bhatti on how to install custom SSL certificates into your environment. These steps complement KB articles 1029944 and 1005210. We recommend you be familiar with those KB articles before you embark on this mission.


  1. Putty to the ESX Host and rename the existing key so you have backups and the ability to rollback after your new credential pair is generated and obtained from Certificate authority.

    mv /etc/vmware/ssl/rui.key rui.keybackup

    The following is an appropriate responses from ESX:

    [root@esx001 ssl]# openssl req -new -keyout rui.key -out esx.csr Generating a 1024 bit RSA private key

  2. Send the csr file off the Certificate authority and wait for the Intermediate and new server certificate (servername.crt) to be returned to you. The newly generated key will not be usable until after the new Intermediate Key and matching server certificate are received back from Certificate authority. In the interim, rename the newly generated key for later use and restore the original backed up key as shown:

    mv /etc/vmware/ssl/rui.key rui.keynew
    mv /etc/vmware/ssl/rui.keybackup rui.key

    You will notice if you cat the rui.keynew file at this stage that its indicates its encrypted from the following lines once the new servername.crt and intermediate.crt files are received back from Certificate authority.

    Proc-Type: 7, ENCRYPTED
    DEK-Info: DES-EDE4-CXD,E23F5B5323EF34E4

  3. The intermediate.crt file will also need to imported (if not already done so) to the windows Certificate Store. Check for the existence of this Certificate in Internet Options >> Content on the Intermediate Certificates Tab.
  4. Rename the original certificate and key files (rui.crt and rui.key) files for backup purposes as shown: 

    mv /etc/vmware/ssl/rui.crt rui.crtbackup
    mv /etc/vmware/ssl/rui.key rui.keybackup

  5. Rename the servername.crt and rui.keynew to rui.crt and rui.key as follows

    mv /etc/vmware/ssl/esxservername.crt rui.crt
    mv /etc/vmware/ssl/rui.keynew rui.key

  6. Reformat the x509 certificate with the commands below. Make sure you are in the /etc/vmware/ssl directory when doing so.

    openssl x509 -text -in rui.crt -out rui.text

  7. Open the file and remove all the text except the information below. In other words – you should see –begin certificate, the information in between, and – end certificate — when you have completed the edit.

    18788ylfhdlharelere ……………………………..

  8. Rename the rui.crt file back to the servername.crt. and rui.text file back to rui.crt

    mv rui.crt servename.crt
    mv rui.text rui.crt

  9. You will have to remove the encryption at this point with the following command:

    openssl rsa -in rui.key -out rui.key.unencripted

    at this point you will be prompted for the root password.

  10. Enter pass phrase for rui.key
  11. Rename the rui.key to rui.keynew as follows:

    mv rui.key rui.keynew

  12. Rename the rui.key.unencripted file back to rui.key as follows:

    mv rui.key.unencripted rui.key

  13. Restart the following services on the Esx Host Server as follows:

    service mgmt-vmware restart
    service vmware-vpxa restart
    service vmware-webAccess restart

  14. The Virtual Center the server will eventually come up in a “not responding” state and will need to be disconnected then reconnected after this step.To do this:

    Right Click on the ESX Host > Select "Disconnect"

    Right Click on the ESX Host > Select "Connect"