VMware recommends that you replace default certificates with those signed by a commercial certificate authority.

When you replace default server certificates in a production environment, deploy new certificates in stages, rather than all at the same time. Make sure that you understand the process as it applies to your environment before you replace certificates.

Obtain certificates from a commercial certificate authority.


VMware products implement the OpenSSL libraries and toolkits to generate the default certificates that are created during installation process. You can use OpenSSL to create certificate-signing requests (CSRs).


You must generate a certificate-signing request (CSR) for each system that requires a replacement certificate.


The rui.pfx file is a concatenation of the system’s certificate and private key, exported in the PFX format. The file is copied to the subdirectory on the vCenter Server system.


The replacement certificate reencrypts all host passwords and the database password by using the new certificate.