Starting in vSphere 8.0 Update 3, you can use the vSphere Client to generate a Certificate Signing Request (CSR) for the ESXi SSL certificate and to replace the certificate once it is ready.

Prerequisites

Change the certificate mode to custom. See Change the ESXi Certificate Mode. Switching the mode enables the vSphere Client to activate the Manage with External CA drop-down, allowing you to generate the Certificate Signing Request.

Warning: Generating a Certificate Signing Request generates a new private key. Do not generate another Certificate Signing Request during the process of replacing certificates. If you do, the previously generated CSR and subsequent certificate will no longer be valid.

Procedure

  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, click Certificate.
  4. From the Manage with External CA drop-down, select either Generate CSR Using IP or Generate CSR Using FQDN.
    vCenter Server identifies the option previously used to generate the certificate on the ESXi host.
  5. Select either Copy to Clipboard or Download, depending on how you want to generate the certificate signing request.

What to do next

You can now send the CSR to the certificate authority, or use the CSR to generate the certificate internally.