Unable to generate a CSR to replace custom certificates on ESXi hosts

search cancel

Unable to generate a CSR to replace custom certificates on ESXi hosts

book

Article ID: 383320

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server 8.0 VMware vCenter Server

Issue/Introduction

When trying to generate a CSR for custom certificate replacement on ESXi hosts, the generate CSR and import options are greyed out.

Clicking on Host > Configure > System > Certificate > Manage with External CA :

Environment

vCenter Server 8.0 U3 and later

Cause

This is an expected behavior due to the default certificate mode of vCenter.

Resolution

To allow the replacement of certificates on ESXi hosts with custom certificates, change the vCenter certificate mode to "custom" in the advanced settings.

1. Log into the vCenter UI
2. Select the vCenter object > Configure > Settings > Advanced Settings > Edit > Modify vpxd.certmgmt.mode from vmca to custom.
3. Click Save.

Note: Changing the certificate mode to custom requires all hosts to have custom CA signed certificates, not managed by vCenter.

Additional Information

Change certificate mode in vCenter

Feedback

thumb_up Yes

thumb_down No