When a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. Most of the default values are well suited for many situations, but company-specific information can be changed.

You can change many of the default settings using the vSphere Web Client. Consider changing the organization, and location information. See Change Certificate Default Settings.

Table 1. ESXi CSR Settings

Parameter

Default Value

Advanced Option

Key Size

2048

N.A.

Key Algorithm

RSA

N.A.

Certificate Signature Algorithm

sha256WithRSAEncryption

N.A.

Common Name

Name of the host if the host was added to vCenter Server by host name.

IP address of the host if the host was added to vCenter Server by IP address.

N.A.

Country

USA

vpxd.certmgmt.certs.cn.country

Email address

vmca@vmware.com

vpxd.certmgmt.certs.cn.email

Locality (City)

Palo Alto

vpxd.certmgmt.certs.cn.localityName

Organization Unit Name

VMware Engineering

vpxd.certmgmt.certs.cn.organizationalUnitName

Organization Name

VMware

vpxd.certmgmt.certs.cn.organizationName

State or province

California

vpxd.certmgmt.certs.cn.state

Number of days the certificate is valid.

1825

vpxd.certmgmt.certs.cn.daysValid

Hard threshold for certificate expiration. vCenter Server raises a red alarm when this threshold is reached.

30 days

vpxd.certmgmt.certs.cn.hardThreshold

Poll interval for vCenter Server certificate validity checks.

5 days

vpxd.certmgmt.certs.cn.pollIntervalDays

Soft Threshold for certificate expiration. vCenter Server raises an event when this threshold is reached.

240 days

vpxd.certmgmt.certs.cn.softThreshold

Mode that vCenter Server users to determine whether existing certificates are replaced. Change this mode to retain custom certificates during upgrade. See Host Upgrades and Certificates.

Default is vmca

You can also specify thumbprint or custom. See Change the Certificate Mode.

vpxd.certmgmt.mode