Jump To: Support > KB > Citrix > XenServer > newcert
Generate new self-signed certificate for XenServer xapi
XenServer uses a key and certificate to provide https access to xapi (the method that the hosts and XenCenter communicate). xapi itself listens on port 80 (http) and then stunnel is used to listen on port 443 (https) and relay this to port 80. If you are interested take a look at /etc/stunnel/xapi.conf for the stunnel configuration file.
If the key is too small (e.g. 1024 bits), stunnel will not start so the server will not be able to speak to the rest of the pool. It'll look OK on the console, but will be shown as offline in XenCenter. Older versions of XenServer uses a 1024-bit key, so if your server was originally installed a long-time ago, you might hit this problem.
To check the certificate:
Public-Key: (2048 bit)
To see its subject:
subject=CN = 192.168.11.11
To generate a new certificate (replace 192.168.11.11 by the IP address of the XenServer host):
# cat key.pem cert.pem > /etc/xensource/xapi-ssl.pem
# service xapi restart