If VMCA assigns certificates to your ESXi hosts (6.0 and later), you can renew those certificates from the vSphere Client. You can also refresh all certificates from the TRUSTED_ROOTS store associated with vCenter Server.
You can renew your certificates when they are about to expire, or if you want to provision the host with a new certificate for other reasons. If the certificate is already expired, you must disconnect the host and reconnect it.
By default, vCenter Server renews the certificates of a host with status Expired, Expiring immediately, or Expiring each time the host is added to the inventory, or reconnected.
Prerequisites
- The ESXi hosts are connected to the vCenter Server system.
- There is proper time synchronization between the vCenter Server system and the ESXi hosts.
- DNS resolution works between the vCenter Server system and the ESXi hosts.
- The vCenter Server system's MACHINE_SSL_CERT and Trusted_Root certificates are valid and have not expired. See the VMware knowledge base article at https://kb.vmware.com/s/article/2111411.
- The ESXi hosts are not in maintenance mode.