Note: Following industry best practices, VMware recommends that you regenerate the SSL Certificates and keys on ESX host according to your company's security policy. In the case of custom certificates, replace these certificates according to your company's security policy.
To resolve this issue, replace SSL certificates generated using MD5 with certificates generated using SHA1 hash.
Replacing self-signed certificates
- Log in to the ESX host as root using an SSH client.
- Rename the existing public and private keys in /etc/vmware/ssl/ so you have a backup.
- Open the script /etc/rc.d/init.d/mgmt-vmware using a text editor.
- Locate the the line:
/usr/bin/openssl req -new -x509 -keyout "$sslDir"'/rui.key' \
- Change the line to:
/usr/bin/openssl req -new -x509 -sha1 -keyout "$sslDir"'/rui.key' \
- Save your changes and exit.
- Reboot the ESX host. The certificates are regenerated using SHA1 hash.
Replacing SSL certificated purchased from a Certificate Authority
To replace SSL certificates purchased from a Certificate Authority, contact your SSL certificate vendor and request replacements that are generated using SHA1 hash.
When you have replaced the certificate, reboot the ESX host.
Replacing self-generated (non-self signing) SSL certificates
To replace self-generated SSL certificates, contact your SSL certificate provider and request request replacements that are generated using SHA1 hash.
When you have replaced the certificate, reboot the ESX host.