If VMCA assigns certificates to your ESXi hosts (6.0 and later), you can renew those certificates from the vSphere Client. You can also refresh all certificates from the TRUSTED_ROOTS store associated with vCenter Server.

You can renew your certificates when they are about to expire, or if you want to provision the host with a new certificate for other reasons. If you do not renew the certificate before it expires, disconnecting the host and reconnecting it causes vCenter Server to renew the certificate. The act of re-adding the host to vCenter Server reestablishes trust, and enables vCenter Server to unconditionally issue the renewed certificate.

By default, vCenter Server renews the certificates of a host with status Expired, Expiration imminent, or Expiring shortly, each time the host is added to the inventory, or reconnected.

Prerequisites

Verify the following:
  • The ESXi hosts are connected to the vCenter Server system.
  • There is proper time synchronization between the vCenter Server system and the ESXi hosts.
  • DNS resolution works between the vCenter Server system and the ESXi hosts.
  • The vCenter Server system's MACHINE_SSL_CERT and Trusted_Root certificates are valid and have not expired. See the VMware knowledge base article at https://kb.vmware.com/s/article/2111411.
  • The ESXi hosts are not in maintenance mode.

Procedure

  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, click Certificate.
    You can view detailed information about the selected host's certificate.
  4. Click Renew or Refresh CA Certificates.
    Option Description
    Renew Retrieves a fresh signed certificate for the host from VMCA.
    Refresh CA Certificates Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.
  5. Click Yes to confirm.