Knowledge Base

To create a 128-bit cipher, you need to create a new SSL certificate for the ESX host.

To create the new certificate:

1. Put the host into Maintenance Mode.
2. Back up the existing SSL key and certificate. Run this command to move the existing SSL key:
   
   # mv /etc/vmware/ssl/rui.* /tmp/
   
   
3. Modify hostd to regenerate a 128-bit key:
   
   
   1. Run this command to edit the hostd file:
      
      # vi /etc/init.d/mgmt-vmware

      
   2. Change this line from:
      
      /usr/bin/openssl req -new -x509 -keyout "$sslDir"'/rui.key' \
      
      to:
      
      /usr/bin/openssl req -newkey rsa:2048 -x509 -keyout "$sslDir"'/rui.key' \
      
      
   3. Save the changes.
      
      
4. Reboot your host to allow it to begin using the new certificate, or restart the host services:
   
   
   1. Restart hostd, using this command:
      
      Caution: Ensure Automatic Startup/Shutdown of virtual machines is disabled before running this command or you risk rebooting the virtual machines. For more information, see Restarting hostd (mgmt-vmware) on ESX hosts restarts hosted virtual machines where virtual machine Startup/Shutdown is enabled (1003312).
      
      service mgmt-vmware restart
      
      
   2. Restart vmkauthd, using this command:
      
      service vmware-vmkauthd restart
      
      
5. Exit Maintenance Mode.
6. Check /etc/vmware/ssl to ensure you see two files, rui.key and rui.crt.
   
   Note: ESX 4.x creates certificates with 128-bit ciphers by default.