Your company's security policy might require that you replace the default ESXi SSL certificate with a third-party certificate authority (CA) signed certificate on all your hosts.

By default, vSphere components use the VMCA-signed certificate and key that are created during installation. If you accidentally delete the VMCA-signed certificate, remove the host from its vCenter Server system, and add it back. When you add the host, vCenter Server requests a new certificate from VMCA and provisions the host with it.

You can replace VMCA-signed certificates with certificates from a trusted certificate authority, either a commercial CA or an organizational CA, if your company policy requires it.

You can replace the default certificates with custom certificates using the vSphere Client or the CLI.

Note: You can also use the vim.CertificateManager and vim.host.CertificateManager managed objects in the vSphere Web Services SDK. See the vSphere Web Services SDK documentation.

Before you replace the certificate, you must update the TRUSTED_ROOTS store in VECS on the vCenter Server system that manages the host to ensure that the vCenter Server and the ESXi host have a trust relationship.

Note: If you are replacing SSL certificates on an ESXi host that is part of a vSAN cluster, follow the steps that are in the VMware knowledge base article at https://kb.vmware.com/s/article/56441.

Requirements for ESXi Certificate Signing Requests for Custom Certificates

Use a CSR with these characteristics:

  • Key size: 2048 bits (minimum) to 8192 bits (maximum) (PEM encoded)
  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
  • x509 version 3
  • For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
  • SubjectAltName must contain DNS Name=<machine_FQDN>.
  • CRT format
  • Contains the following Key Usages: Digital Signature, Key Encipherment
  • Start time of one day before the current time.
  • CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.
Note: vSphere's FIPS certificate only validates RSA key sizes of 2048 and 3072. See Considerations When Using FIPS.
vSphere does not support the following certificates.
  • Certificates with wildcards.
  • The algorithms md2WithRSAEncryption, md5WithRSAEncryption, RSASSA-PSS, dsaWithSHA1, ecdsa_with_SHA1, and sha1WithRSAEncryption are not supported.

To generate the CSR using the vSphere Client, see Generate a Certificate Signing Request for a Custom Certificate Using the vSphere Client.

For information about generating the CSR using the CLI, see the VMware knowledge base article at https://kb.vmware.com/s/article/2113926.