If VMCA assigns certificates to your ESXi hosts (6.0 and later), you can renew those certificates from the vSphere Web Client. You can also refresh all certificates from the TRUSTED_ROOTS store associated with vCenter Server.

You can renew your certificates when they are about to expire, or if you want to provision the host with a new certificate for other reasons. If you do not renew the certificate before it expires, disconnecting the host and reconnecting it causes vCenter Server to renew the certificate. The act of re-adding the host to vCenter Server reestablishes trust, and enables vCenter Server to unconditionally issue the renewed certificate.

By default, vCenter Server renews the certificates of a host with status Expired, Expiration imminent, or Expiring shortly, each time the host is added to the inventory, or reconnected.


  1. Browse to the host in the vSphere Web Client inventory.
  2. Select Configure.
  3. Under System, click Certificate.
    You can view detailed information about the selected host's certificate.
  4. Click Renew or Refresh CA Certificates.
    Option Description
    Renew Retrieves a fresh signed certificate for the host from VMCA.
    Refresh CA Certificates Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.
  5. Click Yes to confirm.