Starting with vSphere 6.0, ESXi hosts are provisioned with certificates by VMCA by default. You can instead use custom certificate mode or, for debugging purposes, the legacy thumbprint mode. In most cases, mode switches are disruptive and not necessary. If you do require a mode switch, review the potential impact before you start.

In vSphere 6.0 and later, vCenter Server supports the following certificate modes for ESXi hosts.

Certificate Mode

Description

VMware Certificate Authority (default)

By default, the VMware Certificate Authority is used as the CA for ESXi host certificates. VMCA is the root CA by default, but it can be set up as the intermediary CA to another CA. In this mode, users can manage certificates from the vSphere Web Client. Also used if VMCA is a subordinate certificate.

Custom Certificate Authority

Some customers might prefer to manage their own external certificate authority. In this mode, customers are responsible for managing the certificates and cannot manage them from the vSphere Web Client.

Thumbprint Mode

vSphere 5.5 used thumbprint mode, and this mode is still available as a fallback option for vSphere 6.0. Do not use this mode unless you encounter problems with one of the other two modes that you cannot resolve. Some vCenter 6.0 and later services might not work correctly in thumbprint mode.

Using Custom ESXi Certificates

If your company policy requires that you use a different root CA than VMCA, you can switch the certificate mode in your environment after careful planning. The recommended workflow is as follows.

  1. Obtain the certificates that you want to use.

  2. Remove all hosts from vCenter Server.

  3. Add the custom CA's root certificate to VECS (VMware Endpoint Certificate Store).

  4. Deploy the custom CA certificates to each host and restart services on that host.

  5. Switch to Custom CA mode. See Change the Certificate Mode.

  6. Add the hosts to the vCenter Server system.

Switching from Custom CA Mode to VMCA Mode

If you are using custom CA mode and decide that using VMCA works better in your environment, you can perform the mode switch after careful planning. The recommended workflow is as follows.

  1. Remove all hosts from the vCenter Server system.

  2. On the vCenter Server system, remove the third-party CA's root certificate from VECS.

  3. Switch to VMCA mode. See Change the Certificate Mode.

  4. Add the hosts to the vCenter Server system.

Note:

Any other workflow for this mode switch might result in unpredictable behavior.

Retaining Thumbprint Mode Certificates During Upgrade

The switch from VMCA mode to thumbprint mode might be necessary if you encounter problems with the VMCA certificates. In thumbprint mode, the vCenter Server system checks only whether a certificate exists and is formatted correctly, and does not check whether the certificate is valid. See Change the Certificate Mode for instructions.

Switching from Thumbprint Mode to VMCA Mode

If you use thumbprint mode and you want to start using VMCA-signed certificates, the switch requires some planning. The recommended workflow is as follows.

  1. Remove all hosts from the vCenter Server system.

  2. Switch to VMCA certificate mode. See Change the Certificate Mode.

  3. Add the hosts to the vCenter Server system.

Note:

Any other workflow for this mode switch might result in unpredictable behavior.

Switching from Custom CA Mode to Thumbprint Mode

If you are encountering problems with your custom CA, consider switching to thumbprint mode temporarily. The switch works seamlessly if you follow the instructions in Change the Certificate Mode. After the mode switch, the vCenter Server system checks only the format of the certificate and no longer checks the validity of the certificate itself.

Switching from Thumbprint Mode to Custom CA Mode

If you set your environment to thumbprint mode during troubleshooting, and you want to start using custom CA mode, you must first generate the required certificates. The recommended workflow is as follows.

  1. Remove all hosts from the vCenter Server system.

  2. Add the custom CA root certificate to TRUSTED_ROOTS store on VECS on the vCenter Server system. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).

  3. For each ESXi host:

    1. Deploy the custom CA certificate and key.

    2. Restart services on the host.

  4. Switch to custom mode. See Change the Certificate Mode.

  5. Add the hosts to the vCenter Server system.