The VMware Certificate Authority (VMCA) provisions each new ESXi host with a signed certificate that has VMCA as the root certificate authority by default. Provisioning happens when you add a host to vCenter Server explicitly or as part of installation or upgrade of ESXi.

You can view and manage ESXi certificates from the vSphere Client and by using the vim.CertificateManager API in the vSphere Web Services SDK. You cannot view or manage ESXi certificates by using certificate management CLIs that are available for managing vCenter Server certificates.

Certificates in vSphere

When ESXi and vCenter Server communicate, they use TLS for almost all management traffic.

vCenter Server supports the following certificate modes for ESXi hosts.
Table 1. Certificate Modes for ESXi Hosts
Certificate Mode Description
VMware Certificate Authority (default) Use this mode if VMCA provisions all ESXi hosts, either as the top-level CA or as an intermediate CA.

By default, VMCA provisions ESXi hosts with certificates.

In this mode, you can refresh and renew certificates from the vSphere Client.

Custom Certificate Authority Use this mode if you want to use only custom certificates that are signed by a third-party or enterprise CA.
In this mode, you are responsible for managing the certificates. You cannot refresh and renew certificates from the vSphere Client.
Note: Unless you change the certificate mode to Custom Certificate Authority, VMCA might replace custom certificates, for example, when you select Renew in the vSphere Client.
Thumbprint Mode vSphere 5.5 used thumbprint mode, and this mode is still available as a fallback option for vSphere 6.x. In this mode, vCenter Server checks that the certificate is formatted correctly, but does not check the validity of the certificate. Even expired certificates are accepted.

Do not use this mode unless you encounter problems that you cannot resolve with one of the other two modes. Some vCenter Server 6.x and later services might not work correctly in thumbprint mode.

ESXi Certificate Expiration

You can view information about certificate expiration for certificates that are signed by VMCA or a third-party CA in the vSphere Client. You can view the information for all hosts that vCenter Server manages or for individual hosts. A yellow alarm is raised if the certificate is in the Expiring Shortly state (less than eight months). A red alarm is raised if the certificate is in the Expiration Imminent state (less than two months).

ESXi Provisioning and Certificates

When you boot an ESXi host from installation media, the host initially has an autogenerated certificate. When you add a host to the vCenter Server system, vCenter Server provisions the host with a certificate that is signed by VMCA as the root CA.

You can also use custom certificates that are signed by a third-party or an enterprise CA for ESXi hosts.

ESXi Provisioning and Certificates in Auto Deploy

The process is similar for hosts that are provisioned with Auto Deploy. However, because those hosts do not store any state, the signed certificate is stored by the Auto Deploy server in its local certificate store. The certificate is reused during subsequent boots of the ESXi hosts. An Auto Deploy server is part of any embedded deployment or vCenter Server system.

If VMCA is not available when an Auto Deploy host boots the first time, the host first attempts to connect. If the host cannot connect, it cycles through shutdown and reboot until VMCA becomes available and the host can be provisioned with a signed certificate.

You can make Auto Deploy a subordinate Certificate Authority of a third-party Certificate Authority. In this case, the generated certificates are signed with the Auto Deploy SSL key. See Make Auto Deploy a Subordinate Certificate Authority.

In ESXi 8.0 and later, you can use custom certificates (certificates signed by a Certificate Authority) with Auto Deploy. When the host starts, Auto Deploy associates the custom certificate with either a MAC address or the BIOS UUID of the ESXi host. See Use Custom Certificates with Auto Deploy.

Required Privileges for ESXi Certificate Management

The Certificates.Manage Certificates privilege is required for users to manage your ESXi host certificates.

ESXi Host Name and IP Address Changes

An ESXi host name or IP address change might affect whether vCenter Server considers a host certificate valid. How you added the ESXi host to vCenter Server affects whether manual intervention is necessary. Manual intervention means that you either reconnect the host, or you remove the host from vCenter Server and add it back.

Table 2. When Host Name or IP Address Changes Require Manual Intervention
ESXi Host added to vCenter Server using... ESXi Host name changes ESXi IP address changes
Host name vCenter Server connectivity problem. Manual intervention required. No intervention required.
IP address No intervention required. vCenter Server connectivity problem. Manual intervention required.