The ESXi host uses automatically generated certificates that are created as part of the installation process. These certificates are unique and make it possible to begin using the server, but they are not verifiable and they are not signed by a trusted, well-known certificate authority (CA). Using default certificates might not comply with the security policy of your organization. If you require a certificate from a trusted certificate authority, you can replace the default certificate.


ESXi supports only X.509 certificates to encrypt session information sent over SSL connections between server and client components.

All file transfers and other communications occur over a secure HTTPS session. The user used to authenticate the session must have the privilege Host.Config.AdvancedConfig on the host. For more information on ESXi privileges, see About Users, Groups, Permissions, and Roles


Use the vifs command to put a copy of the certificate and key files on the ESXi host.

The form this command takes for the certificate and key respectively is:

vifs --server <hostname> --username <username> --put rui.crt /host/ssl_cert
vifs --server <hostname> --username <username> --put rui.key /host/ssl_key

Use the Restart Management Agents operation through the direct console to have the settings take effect.