Jump To: Support > KB > Citrix > XenServer > newcert
Generate new self-signed certificate for XenServer xapi
XenServer uses a key and certificate to provide https access to xapi (the method that the hosts and XenCenter use to communicate). xapi itself listens on port 80 (http) and then stunnel is used to listen on port 443 (https) and relay this to port 80. If you are interested, take a look at /etc/stunnel/xapi.conf for the stunnel configuration file.
If the key is too small (e.g. 1024 bits), stunnel will not start so the server will not be able to speak to the rest of the pool. It'll look OK on its console, but will be shown as offline in XenCenter (so you won't be able to connect). Older versions of XenServer used a 1024-bit key, so if your server was originally installed a long-time ago, you might hit this problem.
To check the certificate:
Public-Key: (2048 bit)
To see its subject:
subject=CN = 192.168.11.11
To generate a new certificate (replace 192.168.11.11 by the IP address of the XenServer host):
# cat key.pem cert.pem > /etc/xensource/xapi-ssl.pem
# service xapi restart
# rm -f key.pem cert.pem