Security scan tools can report the default validity of ESXi certificate as vulnerable with warnings like "Invalid Maximum Validity Date Detected"
search cancel

Security scan tools can report the default validity of ESXi certificate as vulnerable with warnings like "Invalid Maximum Validity Date Detected"

book

Article ID: 372518

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • The default validity period for the ESXi host certificates is 1825 days (5 years).
  • Certain organizations would like to change the default validity period for the ESXi host certificates.

 

Environment

VMware vSphere 7.x

VMware vSphere 8.x

Resolution

  • Login to the vCenter UI
    • Navigate to vCenter --> Configure --> Advanced Settings --> Edit Settings
    • Filter with the setting vpxd.certmgmt.certs.daysValid
    • Change the value to by the number of days for which the certificates should be valid.
    • Click Save
  • Now, we can renew the certificates on the ESXi hosts
    • Navigate to ESXi hosts individually --> Configure --> System --> Certificates
    • Click on Renew
    • Once the task is completed, refresh to see if the new Valid from and Valid to dates change accordingly.
  • Note: The host should not be in maintenance mode when trying to Renew the certificate. 
Powered by Wolken Software