Regenerating Self-Signed Certificates on Standalone ESXi Hosts
Article ID: 411694
Updated On:
Products
Issue/Introduction
This article provides the procedure to regenerate the self-signed SSL certificate on standalone VMware ESXi hosts running version 7.0 or later.
Regenerating certificates may be necessary if the existing certificate is expired, corrupted, or causing connectivity issues with management tools.
Environment
- VMware vSphere ESXi 7.0.x
- VMware vSphere ESXi 8.0.x
Resolution
Ensure you have administrative access to the ESXi host.
Enable SSH access to the host
You can either use the Direct Console User Interface (DCUI) to enable SSH, or alternatively use the ESXi host client.
To enable SSH access via the ESXi host client, please follow these steps:
- Open a web browser and connect directly to the ESXi host using the VMware Host Client URL
https://<esxi_ip_or_fqdn>/ui/#/host:
- Login with root account.
- In the left navigation pane, select the "Manage" option, then go to the "Services" tab.
- Locate the "TSM-SSH" in the list, and click on the "Start" button, to enable the SSH service.
Regenerate the host certificate
- Connect to the host via SSH
- Login using the root account
- Run the following command to generate a new self-signed certificate:
#/sbin/generate-certificates - Restart the ESXi management agents:
#/etc/init.d/hostd restart && /etc/init.d/vpxa restart
If you manage multiple standalone ESXi hosts, repeat this procedure on each host as required.
Additional Information
In case the /sbin/generate-certificates is stuck check if the host has proper FQDN set. It cannot resolve a valid Fully Qualified Domain Name (FQDN) to use as the "Common Name" (CN) for the certificate. It is waiting for a network timeout or input that will never come.
If ESXi was connected using only ip then set the hostname temporarily and add it to /etc/hosts file to resolve locally and then use the above command to regenerate certificate on host.
Feedback
