Generating Certificate or Certificate Signing Request(CSR) for ESXi host with custom parameters using VCSA UI
search cancel

Generating Certificate or Certificate Signing Request(CSR) for ESXi host with custom parameters using VCSA UI

book

Article ID: 390630

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi 8.0 VMware vSphere ESXi 7.0

Issue/Introduction

Generating Certificate or Certificate Signing Request (CSR) for ESXi host with custom parameters using VCSA UI

Environment

vSphere 8.0.x

Resolution

Note: Ensure the ESXi hosts are not in maintenance mode before applying the steps.

In order to generate Certificate or CSR with custom parameters, proceed with the steps below:

  • Validate the Certificate mode on vCenter server is set to VMCA

    • In the vSphere Client, select the vCenter Server.
    • On the right pane, Click Configure -> Settings -> Advanced Settings
    • Click Edit Settings.
    • Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt.mode to display only certificate mode parameters.

       

      Note: Parameter vpxd.certmgmt.mode should be set to vmca, refer: Change the ESXi Certificate Mode

  • Update Esxi certificate parameters with desired values.  

    • In the vSphere Client, select the vCenter Server.
    • On the right pane, Click Configure -> Settings -> Advanced Settings
    • Click Edit Settings.
    • Click the Filter icon in the Name column, and Filter using following parameters and set to desired values. 

      vpxd.certmgmt.certs.cn.email
      vpxd.certmgmt.certs.cn.localityName
      vpxd.certmgmt.certs.cn.organizationalUnitName
      vpxd.certmgmt.certs.cn.organizationName
      vpxd.certmgmt.certs.cn.state

  • Regenerate default certificate for Esxi using custom values. 

    • Browse to the host in the vSphere Client inventory.
    • On the right pane, click Configure -> System -> Certificate
    • You can view detailed information about the selected host's certificate.
    • Click Renew


      Please note above steps need to be performed on each host in the inventory where you desired to have custom certificate.

      Once the certificate is generated validated if the parameters are updated with desired values

      Note: When Esxi Certificate Mode is set to custom you should add the custom CA Root certificates to vCenter trusted root store before updating the host certificates.

  • Change the certificate mode on vCenter server to "custom" to generate certificate signing request (CSR) 

    • In the vSphere Client, select the vCenter Server.
    • On the right pane, Click Configure -> Settings -> Advanced Settings
    • Click Edit Settings.
    • Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt.mode to display only certificate mode parameters.
    • Change the value to "custom" instead of "vmca".
    • Browse to the host in the vSphere Client inventory.
    • Click Configure.
    • Under System, click Certificate.
    • You can view detailed information about the selected host's certificate.
    • Click on Manage with External CA > Generate CSR using FQDN
      This CSR will have the parameters as per the changes made



      Please note above steps need to be performed on each host in the inventory where you desired to have custom certificate.

  • Replace esxi certificate with custom certificate. 

    • Get generated CSR request is signed by your CA, and you have the custom certificate,
    • Use "Import and Replace" option: Configure -> Certificate -> Manage with External CA > Import and Replace

 

Additional Information

Powered by Wolken Software