When a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. Most of the default values are well suited for many situations, but company-specific information can be changed.

You can change many of the default settings using the vSphere Web Client. Consider changing the organization, and location information. See Change Certificate Default Settings.

Table 1. ESXi CSR Settings
Parameter Default Value Advanced Option
Key Size 2048 N.A.
Key Algorithm RSA N.A.
Certificate Signature Algorithm sha256WithRSAEncryption N.A.
Common Name Name of the host if the host was added to vCenter Server by host name.

IP address of the host if the host was added to vCenter Server by IP address.

N.A.
Country USA vpxd.certmgmt.certs.cn.country
Email address [email protected] vpxd.certmgmt.certs.cn.email
Locality (City) Palo Alto vpxd.certmgmt.certs.cn.localityName
Organization Unit Name VMware Engineering vpxd.certmgmt.certs.cn.organizationalUnitName
Organization Name VMware vpxd.certmgmt.certs.cn.organizationName
State or province California vpxd.certmgmt.certs.cn.state
Number of days the certificate is valid. 1825 vpxd.certmgmt.certs.cn.daysValid
Hard threshold for certificate expiration. vCenter Server raises a red alarm when this threshold is reached. 30 days vpxd.certmgmt.certs.cn.hardThreshold
Poll interval for vCenter Server certificate validity checks. 5 days vpxd.certmgmt.certs.cn.pollIntervalDays
Soft Threshold for certificate expiration. vCenter Server raises an event when this threshold is reached. 240 days vpxd.certmgmt.certs.cn.softThreshold
Mode that vCenter Server users to determine whether existing certificates are replaced. Change this mode to retain custom certificates during upgrade. See Host Upgrades and Certificates. Default is vmca

You can also specify thumbprint or custom. See Change the Certificate Mode.

vpxd.certmgmt.mode