ESXi host is marked with Alarm: "ESXi Host Certificate Status"

ESXi host certificate is either expired or about to expire.

Renew the affected ESXi Host's SSL certificate which can be done via GUI (vSphere UI) or using SSH:

Renew ESXi host certificates using vSphere UI:

1. Browse to the host in the vSphere Client inventory.
2. Click Configure.
3. Under System, click Certificate. You can view detailed information about the selected host's certificate.
4. Click Renew.
5. Click Yes to confirm.

If you are unable to manage affected ESXi host from vCenter Server vSphere UI, renew ESXi host certificate using SSH session:

1. In a web browser, log in to the ESXi host using the VMware Host Client.
2. In the Actions menu, click Services > Enable Secure Shell (SSH).
3. Log in to the ESXi host using an SSH client such as Putty.
4. Regenerate the self-signed certificate by executing the following command:
   

   $ /sbin/generate-certificates

5. Restart the hostd and vpxa services by executing the following command:
   

   $ /etc/init.d/hostd restart && /etc/init.d/vpxa restart

6. Log back in to the VMware Host Client and click Services > Disable Secure Shell (SSH) from the Actions menu.
7. Repeat the above steps for all remaining hosts.

Prerequisites before refreshing/renewing the ESXi SSL certificates from vCenter server vSphere UI:

• The ESXi hosts are connected to the vCenter Server.
• Ensure time synchronization between the vCenter Server system and the ESXi hosts.
• DNS resolution works between the vCenter Server system and the ESXi hosts.
  • The vCenter Server system's MACHINE_SSL_CERT and TRUSTED_ROOT certificates are valid and have not expired. See the knowledge base article at Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x.
• The ESXi hosts are not in maintenance mode.

For more information, see Certificate Management for ESXi Hosts.