If VMCA assigns certificates to your ESXi hosts (6.0 and later), you can renew those certificates from the vSphere Web Client. You can also refresh all certificates from the TRUSTED_ROOTS store associated with vCenter Server.

About this task

You can renew your certificates when they are about to expire, or if you want to provision the host with a new certificate for other reasons. If the certificate is already expired, you must disconnect the host and reconnect it.

By default, vCenter Server renews the certificates of a host with status Expired, Expiring immediately, or Expiring each time the host is added to the inventory, or reconnected.

Procedure

  1. Browse to the host in the vSphere Web Client inventory.
  2. Select Configure.
  3. Under System, click Certificate.

    You can view detailed information about the selected host's certificate.

  4. Click Renew or Refresh CA Certificates.

    Option

    Description

    Renew

    Retrieves a fresh signed certificate for the host from VMCA.

    Refresh CA Certificates

    Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.

  5. Click Yes to confirm.