If you upgraded (or deployed) ESX/ESXi 9.0 in a lab and let the evaluation expire, you can end up in the classic chicken-and-egg situation: your vCenter is a VM, but you can’t power it on because the host is no longer licensed.
With VCF / vSphere Foundation 9.0, licensing moved away from the old 25-character keys and into license files(normally handled through VCF Operations), which is great… until you don’t have VCF Ops up yet. (VMware Blogs)
This post is about the standalone-host path: apply a private license file directly on the ESX host using esxcli. (VCF Business Services)
The Big Disclaimer
STOP. READ THIS FIRST.
This is not a “reset the trial” guide. To do this the right way, you need:
- A valid subscription/entitlement
- Access to the VCF Business Services licensing portal (Broadcom)
- And in many cases, approval to use private license files (this workflow is specifically documented for customers approved for private license files). (VCF Business Services)
If you don’t have entitlements, this won’t help — and it shouldn’t.
What changed in 9.0 (quick context)
In VCF / VVF 9.0:
- License keys are no longer used; licensing is based on subscription license files. (VCF Business Services)
- A VCF Operations instance is the normal way to manage licenses centrally — but for standalone hosts / restricted environments, private license file workflows exist. (VCF Business Services)
- License files are different for ESX hosts vs VCF Operations. Pick the wrong type and the import/assignment will fail. (VCF Business Services)
What you need
- SSH access to the ESX 9 host (or local DCUI + ESXCLI access)
- A machine with
opensslto generate an RSA keypair - A way to copy files to ESX (scp/WinSCP/etc.)
Step 1 — Generate an RSA key pair
Generate a 4096-bit RSA private/public keypair:
Estimated reading time: 4 minutes
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096
openssl rsa -pubout -in private_key.pem -out public_key.pem
Optional: keep a combined file for tracking:
cat private_key.pem public_key.pem > keypair.pem
A couple important notes:
- The max version you select in the license workflow matters (it caps the highest version you can use with the license until you regenerate a license file). (VCF Business Services)
- Keep the public key safe. Broadcom does not save the public key you paste into the wizard, and you’ll need it if you want to generate updated license files later. (VCF Business Services)
Step 2 — Create a private license file for an ESX host (in the portal)
In the VCF Business Services console:
- Go to License Management → VCF Operations Registrations
- Click Create Private License File
- Give it a display name
- Select the target type: ESX host (not VCF Operations) (VCF Business Services)
- (Optional) Use Manage Licenses if you want to split/allocate capacity into a new license object
- Select the license(s) to include
- Paste the encoded RSA public key (PEM format) into the wizard
- Download the license file (the doc examples call it
license.token) (VCF Business Services)
Step 3 — Copy the private key + license token to the ESX host
Copy these two files to the ESX host (example paths):
private_key.pem→/tmp/key.pem- downloaded license file →
/tmp/license.token
(Use scp/WinSCP/whatever you prefer.)
Step 4 — Import the private key into the ESX host
SSH to the ESX host and run:
esxcli licensing credential add --file /tmp/key.pem
The path must be absolute. (VCF Business Services)
You can list imported keys with:
esxcli licensing credential list
You can import up to five private keys; if you hit the limit, remove an old one:
esxcli licensing credential remove --id <ID>
Step 5 — Import the license entitlement token
Now apply the downloaded license token file:
esxcli licensing entitlement add --file /tmp/license.token
Again: absolute path required. (VCF Business Services)
Step 6 — Verify the host is licensed
List the entitlement assignments:
esxcli licensing entitlement list
Also confirm your credential is present:
esxcli licensing credential list
At this point, your ESX host should be out of evaluation mode and you can go back to powering on the vCenter VM and finishing the rest of your licensing stack (typically via VCF Operations).
Updating/replacing the license file later
You can only have one license file imported to an ESX host — but you can replace it. (VCF Business Services)
- Find the entitlement assignment ID:esxcli licensing entitlement list
- Replace it with the new token:esxcli licensing entitlement set –id –file /tmp/license.token
Quick & Dirty “apply” script
If you want something you can copy/paste into a shell script on the ESX host:
#!/bin/sh
set -e
KEY="/tmp/key.pem"
TOKEN="/tmp/license.token"
esxcli licensing credential add --file "$KEY"
esxcli licensing entitlement add --file "$TOKEN"
echo "---- Credentials ----"
esxcli licensing credential list
echo "---- Entitlements ----"
esxcli licensing entitlement list
Tip: /tmp is ephemeral, so after you confirm everything is imported, you can delete the files you uploaded (the host keeps the imported data).
Common gotchas
- Wrong file type: If you generated a license file for VCF Operations instead of ESX host, the host import won’t do what you want. License files differ by target. (VCF Business Services)
- Forgetting absolute paths:
esxcli licensing … --filerequires an absolute path. (Broadcom Developer) - Expecting to license vCenter directly from the portal: You can’t assign licenses to vCenter without using a VCF Operations instance (per the private license file doc). (VCF Business Services)
References
- VCF 9.0 Licensing – Private License Files (official PDF) (VCF Business Services)
- Broadcom ESXCLI licensing command reference (Broadcom Developer)
- Official “Licensing in VMware Cloud Foundation 9.0” overview (VMware Blogs)
