Diagnostics for VMware Cloud Foundation: ESX Health: Certificate Status
Article ID: 415250
Updated On:
Products
Issue/Introduction
The certificate status health check verifies the validity and availability of the host’s security certificates. This monitoring ensures that administrative access remains secure and that automated tasks such as host additions or updates do not fail due to trust issues.
Status | Definition | Operational Impact |
Valid | The certificate is currently active, within its date range, and signed by a trusted CA. | None. All secure communications and management tasks are functioning normally. |
Expired | The certificate's "Valid To" date has passed. | High. Management agents (vpxa) may disconnect, vCenter may show the host as "Not Responding," and vMotion tasks will fail. |
Not Available | The certificate file is missing, corrupt, or inaccessible to the ESXi host. | Critical. The host cannot establish a secure identity. vCenter will be unable to manage the host until a certificate is provisioned. |
Environment
VMware Cloud Foundation Operations 9.0/9.1
Resolution
ESXi certificates are typically stored in /etc/vmware/ssl/ as rui.crt (certificate) and rui.key (private key). By default, vCenter Server acts as the VMware Certificate Authority (VMCA) and automatically manages the renewal of these certificates.
If a certificate is Expired, you can trigger a refresh from the vSphere Client. But if your certificate status is Not Available, you may need to force the host to generate a new self-signed certificate or reconnect it to vCenter to allow the VMCA to provision a new one.
Follow the steps mentioned in the below KB article to renew the certificate or to force the host to generate a new one.
https://knowledge.broadcom.com/external/article?articleNumber=374032
For a certificate that is Near Expiry, use the Certificate Management capability within VCF Operations to refresh the certificate.
Additional Information
Feedback
