You can replace the default VMCA-signed ESXi certificates with the vifs command.

If you want to use third-party CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates on each ESXi host.

If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Web Client. See Use the vSphere Web Client to Enable Access to the ESXi Shell.

All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege Host.Config.AdvancedConfig on the host. For more information on assigning privileges through roles, see Managing Permissions for vCenter Components.


Back up the existing certificates.


Generate a certificate request following the instructions from the certificate authority.


When you have the certificate, use the vifs command to upload the certificate to the appropriate location on the host from an SSH connection to the host.

vifs --server hostname --username username --put rui.crt /host/ssl_cert

vifs --server hostname --username username --put rui.key /host/ssl_key


Restart the host.

Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).