By default, VMware Certificate Authority (VMCA) provisions ESXi with certificates. Use custom mode when replacing VMCA certificates with custom certificates. Use legacy thumbprint mode for debugging. If you do require a mode switch, review the potential impact before you start.

For an explanation of certificate modes, see Certificates and Certificate Modes.

Using Custom ESXi Certificates

Note: When switching from using VMCA certificates to custom certificates, make sure to allow time for organizational approval and fulfillment processes when generating certificates. Also, plan accordingly so that the current certificate does not expire during the switchover.

If your company policy requires that you use a different root CA than VMCA, you can switch the certificate mode in your environment after careful planning. The workflow is as follows.

  1. Switch to custom mode. See Change the ESXi Certificate Mode.

    Switching the mode enables the vSphere Client to activate the Manage with External CA drop-down, allowing you to generate the Certificate Signing Request.

  2. Add the root certificate of the custom CA to VMware Endpoint Certificate Store (VECS).
  3. Generate the Certificate Signing Request and obtain the certificates that you want to use.

    You might need to wait some time for the CSR to be returned.

  4. Import the custom CA certificate to the vCenter Server host.

    Allow some time for the vCenter Server to distribute the custom CA certificate to the ESXi hosts.

Switching from Custom CA Mode to VMCA Mode

If you are using custom CA mode and decide that using VMCA works better in your environment, you can perform the mode switch after careful planning. The workflow is as follows.

  1. Remove all hosts from the vCenter Server system.
  2. On the vCenter Server system, remove the root certificate of the third-party CA from VECS.
  3. Switch to vmca mode. See Change the ESXi Certificate Mode.
  4. Add the hosts to the vCenter Server system.
Note: Any other workflow for this mode switch might result in unpredictable behavior.

Retaining Thumbprint Mode Certificates During Upgrade

The switch from VMCA mode to thumbprint mode might be necessary if you encounter problems with the VMCA certificates. In thumbprint mode, the vCenter Server system checks only whether a certificate exists and is formatted correctly, and does not check whether the certificate is valid. See Change the ESXi Certificate Mode for instructions.

Switching from Thumbprint Mode to VMCA Mode

If you use thumbprint mode and you want to start using VMCA-signed certificates, the switch requires some planning. The workflow is as follows.

  1. Remove all ESXi hosts from the vCenter Server system.
  2. Switch to vmca mode. See Change the ESXi Certificate Mode.
  3. Add the ESXi hosts to the vCenter Server system.
Note: Any other workflow for this mode switch might result in unpredictable behavior.

Switching from Custom CA Mode to Thumbprint Mode

If you are encountering problems with your custom CA, consider switching to thumbprint mode temporarily. The switch works seamlessly if you follow the instructions in Change the ESXi Certificate Mode. After the mode switch, the vCenter Server system checks only the format of the certificate and no longer checks the validity of the certificate itself.

Switching from Thumbprint Mode to Custom CA Mode

If you set your environment to thumbprint mode during troubleshooting, and you want to start using custom CA mode, you must first generate the required certificates. The workflow is as follows.

  1. Remove all ESXi hosts from the vCenter Server system.
  2. Add the custom CA root certificate to the TRUSTED_ROOTS store on VECS on the vCenter Server system. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).
  3. For each ESXi host:
    1. Deploy the custom CA certificate and key.
    2. Restart services on the host.
  4. Switch to custom mode. See Change the ESXi Certificate Mode.
  5. Add the ESXi hosts to the vCenter Server system.