Why would ssh keys change on a pfSense power cycle?

  • I just set up a virtual pfSense instance a few days ago.

    I took down my ESXi server to add in a quad port Intel NIC. 
    pfSense at power up reported missing SSH keys and generated new ones.
    At the same time the VMWare console failed to connect reporting invalid SSL.

    I found a VMWare KB article that stated doing a power off and restart would regenerate the keys, which did resolve the issue.
    I answered and cleared the alerts on pfSense.

    My question is what would cause this chain of events that appear to have been initiated by the powercycle/hardware add on the ESXi server?
    Is this normal?
    Should I be concerned?  This is the first time I have had an ESXi interface connected directly to the internet, and I'm still somewhat concerned this set up may not be as secure as a physical pfSense configuration.

  • As long as you set up the vswitch so that only the pfsense box has a LAN port on it, and its running to a dedicated esxi NIC your fine.

    That's not as uncommon as you think. I run into that all the time when I work on networking chassis or firewalls, anytime I change out a line card or module it regenerates the ssh keys when it restarts.