ESXi and vCenter Server support standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over Secure Socket Layer (SSL) protocol connections between components. If SSL is enabled, data is private, protected, and cannot be modified in transit without detection.

All network traffic is encrypted as long as the following conditions are true:

You did not change the Web proxy service to allow unencrypted traffic for the port.

Your firewall is configured for medium or high security.

Certificate checking is enabled by default and SSL certificates are used to encrypt network traffic. However, ESXi and vCenter Server use automatically generated certificates that are created as part of the installation process and stored on the server system. These certificates are unique and make it possible to begin using the server, but they are not verifiable and are not signed by a trusted-well-known certificate authority (CA). These default certificates are vulnerable to possible man-in-the-middle attacks.

To receive the full benefit of certificate checking, particularly if you intend to use encrypted remote connections externally, install new certificates that are signed by a valid internal certificate authority or purchase a certificate from a trusted security authority. Replacing vCenter Server certificates is described in the vSphere Examples and Scenarios documentation.

Note

If the self-signed certificate is used, clients receive a warning about the certificate. To address this issue, install a certificate that is signed by a recognized certificate authority. If CA-signed certificates are not installed, all communication between vCenter Server and vSphere Clients is encrypted using a self-signed certificate. These certificates do not provide the authentication security you might need in a production environment.

The certificate consists of two files: the certificate itself (rui.crt) and the private-key file (rui.key).

Default Location of ESXi and vCenter Server Certificate Files

Server

Location

ESXi 5.0

/etc/vmware/ssl/

vCenter Server (Windows 2008)

C:\Program Data\VMware\VMware VirtualCenter\SSL

vCenter Server (Windows 2003)

C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL