If VMCA assigns certificates to your ESXi hosts (6.0 and later), you can renew those certificates from the vSphere Web Client. You can also refresh all certificates from the TRUSTED_ROOTS store associated with vCenter Server.

You can renew your certificates when they are about to expire, or if you want to provision the host with a new certificate for other reasons. If the certificate is already expired, you must disconnect the host and reconnect it.

By default, vCenter Server renews the certificates of a host with status Expired, Expiring immediately, or Expiring each time the host is added to the inventory, or reconnected.


  1. Browse to the host in the vSphere Web Client inventory.
  2. Click the Manage tab and click Settings.
  3. Select System, and click Certificate.
    You can view detailed information about the selected host's certificate.
  4. Click Renew or Refresh CA Certificates.
    Option Description
    Renew Retrieves a fresh signed certificate for the host from VMCA.
    Refresh CA Certificates Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.
  5. Click Yes to confirm.