The VMware Certificate Authority (VMCA) provisions each new ESXi host with a signed certificate that has VMCA as the root certificate authority by default. Provisioning happens when you add a host to vCenter Server explicitly or as part of installation or upgrade of ESXi.
You can view and manage ESXi certificates from the vSphere Client and by using the vim.CertificateManager API in the vSphere Web Services SDK. You cannot view or manage ESXi certificates by using certificate management CLIs that are available for managing vCenter Server certificates.
Starting in vSphere 8.0 Update 3, you can replace ESXi certificates without placing the host into maintenance mode, and without having to restart the host or individual services.
Certificates and Certificate Modes
When ESXi and vCenter Server communicate, they use TLS for almost all management traffic.
vCenter Server supports the following certificates and certificate modes for ESXi hosts.
| Certificate Mode | Description |
|---|---|
| VMware Certificate Authority (default) | By default, the VMware Certificate Authority is used as the certificate authority (CA) for ESXi host certificates. VMCA is the root CA by default, but it can be set up as the intermediary CA to another CA. In vmca mode, you can renew and refresh certificates from the vSphere Client. Also used if VMCA is a subordinate certificate. |
| Custom Certificate Authority | Use this mode if you want to use only custom certificates that are signed by a third-party or enterprise CA. In custom mode, you are responsible for managing the certificates. Starting in vSphere 8.0 Update 3, you can manage custom certificates from the vSphere Client.
Note: Unless you change the certificate mode to Custom Certificate Authority (
custom), VMCA might replace custom certificates, for example, when you select
Renew in the
vSphere Client.
|
| Thumbprint Mode | vSphere 5.5 used thumbprint mode, and this mode is still available as a fallback option for vSphere 6.x. In this mode, vCenter Server checks that the certificate is formatted correctly, but does not check the validity of the certificate. Even expired certificates are accepted. Do not use this mode unless you encounter problems that you cannot resolve with one of the other two modes. Some vCenter Server 6.x and later services might not work correctly in thumbprint mode. |
To change the certificate mode to use a different type of certificate, see ESXi Certificate Mode Switch Workflows and Change the ESXi Certificate Mode.
ESXi Certificate Expiration
You can view information about certificate expiration for certificates that are signed by VMCA or a third-party CA in the vSphere Client. You can view the information for all hosts that vCenter Server manages or for individual hosts. A yellow alarm is raised if the certificate is in the Expiring Shortly state (less than eight months). A red alarm is raised if the certificate is in the Expiration Imminent state (less than two months).
ESXi Provisioning and Certificates
When you boot an ESXi host from installation media, the host initially has an autogenerated certificate. When you add a host to the vCenter Server system, vCenter Server provisions the host with a certificate that is signed by VMCA as the root CA.
You can also use custom certificates that are signed by a third-party or an enterprise CA for ESXi hosts.
ESXi Provisioning and Certificates in Auto Deploy
The process is similar for hosts that are provisioned with Auto Deploy. However, because those hosts do not store any state, the signed certificate is stored by the Auto Deploy server in its local certificate store. The certificate is reused during subsequent boots of the ESXi hosts. An Auto Deploy server is part of any embedded deployment or vCenter Server system.
If VMCA is not available when an Auto Deploy host boots the first time, the host first attempts to connect. If the host cannot connect, it cycles through shutdown and reboot until VMCA becomes available and the host can be provisioned with a signed certificate.
You can make Auto Deploy a subordinate Certificate Authority of a third-party Certificate Authority. In this case, the generated certificates are signed with the Auto Deploy SSL key. See Make Auto Deploy a Subordinate Certificate Authority.
In ESXi 8.0 and later, you can use custom certificates (certificates signed by a Certificate Authority) with Auto Deploy. When the host starts, Auto Deploy associates the custom certificate with either a MAC address or the BIOS UUID of the ESXi host. See Use Custom Certificates with Auto Deploy.
Required Privileges for ESXi Certificate Management
The privilege is required for users to manage your ESXi host certificates.
ESXi Host Name and IP Address Changes
An ESXi host name or IP address change might affect whether vCenter Server considers a host certificate valid. How you added the ESXi host to vCenter Server affects whether manual intervention is necessary. Manual intervention means that you either reconnect the host, or you remove the host from vCenter Server and add it back.
| ESXi Host added to vCenter Server using... | ESXi Host name changes | ESXi IP address changes |
|---|---|---|
| Host name | vCenter Server connectivity problem. Manual intervention required. | No intervention required. |
| IP address | No intervention required. | vCenter Server connectivity problem. Manual intervention required. |
