Renew ESXi Host Certificates with VMCA-signed Certificate
search cancel

Renew ESXi Host Certificates with VMCA-signed Certificate

book

Article ID: 385183

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

ESXi contains a host certificate that is used to encrypt traffic between itself and endpoints such as its managing vCenter Server or a client machine when connecting to its web GUI. Occasionally, these certificates need to be renewed.

Environment

  • VMware vSphere ESXi 7.x
  • VMware vSphere ESXi 8.x

Cause

  • The host certificate is expiring soon.
  • Attempting to upgrade the host from ESXi 7.x to 8.x results in an error related to SHA-1 certificates. These certificates need to be replaced to adhere to the 8.x requirement which removes support for SHA-1.

Resolution

Log into the vSphere Web Client and navigate to the host whose certificate needs to be renewed. 

  1. Click on the Configure tab
  2. Click Certificate 
  3. Click MANAGE WITH VMCA
  4. Click Renew


Additional Information

  • If the vCenter Server certificate management mode (vpxd.certmgmt.mode under Advanced vCenter Settings) must be set to vmca (the default). If it is set to custom, the Renew button will be greyed out.
  • Certificates cannot be renewed beyond the expiration date of the root certificate. If the root is expiring soon, the host renewal will be truncated to that date.

ESXi ホストの証明書を VMCA によって署名された証明書へ置き換える

Powered by Wolken Software