When a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. You can change some of the default settings in the CSR using the vCenter Server Advanced Settings in the vSphere Client.

See ESXi Certificate Default Settings for a list of default settings. Some of the defaults cannot be changed.


  1. In the vSphere Client, select the vCenter Server system that manages the hosts.
  2. Click Configure, and click Advanced Settings.
  3. Click Edit Settings.
  4. Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt to display only certificate management parameters.
  5. Change the value of the existing parameters to follow your company policy and click Save.
    The next time you add a host to vCenter Server, the new settings are used in the CSR that vCenter Server sends to VMCA and in the certificate that is assigned to the host.

What to do next

Changes to certificate metadata only affect new certificates. If you want to change the certificates of hosts that are already managed by the vCenter Server system, you can disconnect and reconnect the hosts or renew the certificates.