Renew or Refresh ESXi Certificates

If you use the VMware Certificate Authority (VMCA) to assign certificates to your hosts, you can renew those certificates from the vSphere Client. If you use either VMCA certificates or custom certificates, you can refresh all certificates from the TRUSTED_ROOTS store associated with vCenter Server.

You can use the vSphere Client to renew your VMCA certificates when they are about to expire, or if you want to provision the host with a new certificate for other reasons. If you do not renew the VMCA certificate before it expires, disconnecting the host and reconnecting it causes vCenter Server to renew the certificate. The act of re-adding the host to vCenter Server reestablishes trust, and enables vCenter Server to unconditionally issue the renewed certificate.

By default, vCenter Server renews the VMCA certificate of a host with status Expired, Expiration imminent, or Expiring shortly, and each time the host is added to the inventory or reconnected.

You cannot renew an ESXi certificate with an expiration date beyond that of the expiration date of the trusted root certificate. For example, even if the ESXi vpxd.certmgmt.certs.daysValid advanced option is set to five years, and your trusted root certificate is set to expire in two years, the ESXi certificate expiration date is limited to two years.

You can use the vSphere Client to push all certificates currently in the TRUSTED_ROOTS store in the vCenter Server VECS store to the ESXi host. Use this capability if you need to refresh the trusted roots on an ESXi host. This capability exists for both VMCA and custom certificates.

Prerequisites

Verify the following:

If using VMCA certificates, the certificate mode is set to vmca.
If using custom certificates, the certificate mode is set to custom.
The ESXi hosts are connected to the vCenter Server system.
There is proper time synchronization between the vCenter Server system and the ESXi hosts.
DNS resolution works between the vCenter Server system and the ESXi hosts.
The vCenter Server system's MACHINE_SSL_CERT and Trusted_Root certificates are valid and have not expired. See the VMware knowledge base article at https://kb.vmware.com/s/article/2111411.
The ESXi hosts are not in maintenance mode.

Note: If you use custom certificates, and you need to renew them, re-import the certificates.

Procedure

Browse to the host in the vSphere Client inventory.
Click Configure.
Under System, click Certificate.
You can view the details about the certificate of the selected host.

Select the appropriate option based on the type of certificate used.

Option	Description
Manage with VMCA > Renew	Retrieves a fresh signed certificate for the host from VMCA.
Manage with VMCA > Refresh CA Certificates or Manage with External CA > Refresh CA Certificates	Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.

Option

Description

Manage with VMCA > Renew

Retrieves a fresh signed certificate for the host from VMCA.

Manage with VMCA > Refresh CA Certificates

Manage with External CA > Refresh CA Certificates

Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.