Replace the Custom certificates on the Hosts with default ESX Certificates
search cancel

Replace the Custom certificates on the Hosts with default ESX Certificates

book

Article ID: 407161

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Steps to convert the ESXi host certificates from custom (manually installed) certificates back to VMCA-signed certificates.

Environment

  • VMware vSphere 7.x
  • VMware vSphere 8.x 

Resolution

Note: Ensure the VMs are Migrated to some other Host and place the Host in Maintenance mode as it might get disconnected from vCenter while replacing the Custom Certs to VMCA.

  1. Take SSH Access to ESXi Host

  2. Validate the existing certificates located in /etc/vmware/ssl.

    cat /etc/vmware/ssl/
  3. Verify the issuer of the Certificate, the CA issuer can be confirmed in the below output

    openssl x509 -in /etc/vmware/ssl/rui.crt -text -noout | grep Issuer

  4. To Remove the Custom Certificates, delete the existing custom certificate and key

    rm -f /etc/vmware/ssl/rui.crt
rm -f /etc/vmware/ssl/rui.key

  5. To Generate New Local Certificates, Use the ESXi utility to generate a fresh set of temporary certificates:

    /sbin/generate-certificates

     

  6. Restart Host Management Services,Restart hostd and vpxa to apply the new certificates and re-enable vCenter communication:

    /etc/init.d/hostd restart
/etc/init.d/vpxa restart

     

  7. The Host will be in a disconnected state on the vCenter now, Reconnect it.  

  8.  Verify that the new certificate is successfully signed by the VMware Certificate Authority (VMCA):

    openssl x509 -in /etc/vmware/ssl/rui.crt -text -noout | grep Issuer

     

  9. Use the vCenter Server advanced settings to set the Certificate mode to vmca 

    1. In the vSphere Client, select the vCenter Server system that manages the hosts.

    2. Click Configure, and under Settings, click Advanced Settings.

    3. Click Edit Settings.

    4. Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt to display only certificate management parameters.

    5. Change the value of vpxd.certmgmt.mode to vmca


      Note: Use VMware Certificate Authority (VMCA) to provision certificates of the ESXi hosts in your environment unless corporate policy requires that you use custom certificates. To use custom certificates with a different root CA, you can edit the vCenter Servervpxd.certmgmt.mode advanced option. After the change, the hosts are no longer automatically provisioned with VMCA certificates when you refresh the certificates, Refer to Change the Certificate Mode




       

Powered by Wolken Software