When you replace a certificate on an ESXi host by using the vSphere Web Services SDK, the previous certificate and key are appended to a .bak file. You can restore previous certificates by moving the information in the .bak file to the current certificate and key files.

The host certificate and key are located in /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. When you replace a host certificate and key by using the vSphere Web Services SDK vim.CertificateManager managed object, the previous key and certificate are appended to the file /etc/vmware/ssl/rui.bak.

Note

If you replace the certificate by using HTTP PUT, vifs, or from the ESXi Shell, the existing certificates are not appended to the .bak file.

1

On the ESXi host, locate the file /etc/vmware/ssl/rui.bak.

The file has the following format.

#
# Host private key and certificate backup from 2014-06-20 08:02:49.961
#

-----BEGIN PRIVATE KEY-----
previous key
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
previous cert
-----END CERTIFICATE-----
2

Copy the text starting with -----BEGIN PRIVATE KEY----- and ending with -----END PRIVATE KEY----- into the /etc/vmware/ssl/rui.key file.

Include -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

3

Copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into the /etc/vmware/ssl/rui.crt file.

Include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

4

Restart the host or send ssl_reset events to all services that use the keys.

for s in /etc/init.d/*; do $s | grep ssl_reset > /dev/null; if [ $? == 0 ]; then $s ssl_reset; fi; done