Starting in vSphere 8.0 Update 3, you can replace the default VMCA-signed ESXi certificates with custom certificates from the vSphere Client.
When importing the custom certificate, make sure that you:
- Add your entire CA certificate chain before proceeding with the replacement.
- Ensure that you provide the correct CA certificate for your environment. The import and replace process does not perform checking on the certificate that you use.
- Ensure that there are no SHA1 hashes in the certificate chain. SHA1 is not supported.
- Add the root CA to VECS before proceeding. If not, the host disconnects immediately after the certificate replacement.
Prerequisites
- Generate the certificate signing request and send it to the certificate authority. See Generate a Certificate Signing Request for a Custom Certificate Using the vSphere Client.
- When the certificate authority returns the certificate, store it on the ESXi hosts.
- Make sure that the ESXi certificate mode is set to custom. See Change the ESXi Certificate Mode.
- Update the trusted root store. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).
Procedure
- Browse to the host in the vSphere Client inventory.
- Click Configure.
- Under System, click Certificate.
- From the Manage with External CA drop-down, select Import and replace.
- Select the replace option.
Option Description Replace with external CA certificate where CSR generated by ESXi (private key embedded) Use this option if you generated the CSR on ESXi, in which case, the private key is stored on ESXi. Replace with external CA certificate where CSR generated from a certificate authority (requires private key) Use this option if you sent the CSR to a third-party certificate authority, and received back the certificate and private key. - Click Next.
- Browse for the certificate, or certificate and private key.
- Review the information, then click Import and Replace.
Results
The custom certificate replaces the existing certificate.