ESXi and vCenter Server support standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over Secure Socket Layer (SSL) protocol connections between components. If SSL is enabled, data is private, protected, and cannot be modified in transit without detection.

Certificate checking is enabled by default and SSL certificates are used to encrypt network traffic. However, ESXi and vCenter Server use automatically generated certificates that are created as part of the installation process and stored on the server system. These certificates are unique and make it possible to begin using the server, but they are not verifiable and are not signed by a trusted, well-known certificate authority (CA). These default certificates are vulnerable to possible man-in-the-middle attacks. To receive the full benefit of certificate checking, particularly if encrypted remote connections are to be used externally, install new certificates that are signed by a valid internal certificate authority or acquire a certificate from a trusted security authority.

The SSL Certificate Automation Tool is a command-line utility that automates the Self- or CA-signed certificate renewal process for vSphere 5.5. See VMware KB 2057340.