Replacing the ESXi Custom Certificate from vCenter UI
search cancel

Replacing the ESXi Custom Certificate from vCenter UI

book

Article ID: 410036

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi

Issue/Introduction

Procedure on how to replace the ESXi custom certificate from the vCenter UI

 

Environment

ESXi 7.0

ESXi 8.0

Cause

By default, vSphere components use the VMCA-signed certificate and key that are created during installation. If you accidentally delete the VMCA-signed certificate, remove the host from its vCenter Server system and add it back. When you add the host, vCenter Server requests a new certificate from VMCA and provisions the host with it.
 
Your company's security policy might require that you replace the default ESXi SSL certificate with a third-party certificate authority (CA) signed certificate on all your hosts.

Resolution

Procedure on how to renew the ESXi host custom cert from the vCenter UI

Step 1: Change the vCenter certificate mode to custom

Ref to doc on how to change the vCenter cert mode: Change Certificate mode

Step 2: Navigate to the host from the vCenter inventory and select > Configure > System > Certificate, and click Manage With External CA
Step 3: Click Generate CSR using FQDN

Step 4: Copy the generated certificate

Step 5: Paste the CSR on the Microsoft CA Authority, select the "Web Server" template, and submit

Step 6: Choose Base 64 encoded and click "Download certificate", NOT the certificate chain

Step 7: Get back to the vCenter UI and click on "Import and Replace" from the below location

Select "Replace with external CA certificate where CSR is generated by ESXi (Private key embedded)".

Click on Browse and select the downloaded CSR, and click Next.

Review and click Finish

The CA certificate is now updated

The host UI will now show secured

Additional Information

If the certificate renewal was successful, but the certificate doesn't change, then disconnect and reconnect the host

Powered by Wolken Software