Refresh or Renew of ESXi host certificate (VMCA) from the vCenter Server UI or host client doesn't change the Machine certificate of the host
search cancel

Refresh or Renew of ESXi host certificate (VMCA) from the vCenter Server UI or host client doesn't change the Machine certificate of the host

book

Article ID: 416914

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • ESXi host is marked with an alarm stating "ESXi Host Certificate Status" when the host certificate is nearing or past its expiration date.
  • Right-click on the ESXi Host in Inventory > Certificates > Renew/Refresh Certificate in the vCenter Server UI, this task shows completed however the actual Machine certificate doesn't change (Validity remains the same)

NOTE: This KB is applicable only if the ESXi host is using the VMCA self signed certificate 

Environment

VMware vSphere ESXi

Cause

  • During ESXi host certificate renewal from vSphere UI, it retrieves a fresh signed certificate for the host from VMCA root.
  • The default validity of the ESXi host certificate is up to 5 years.
  • The status is Expiring if the certificate is valid for less than eight months, Expiring shortly if the certificate is valid for less than two months, and Expiration imminent if the certificate is valid for less than one month.
  • The ESXi host will adopt the maximum validity of the VMCA root certificate, which is reflected in the ESXi host certificate's "Valid to" field.
  • We cannot renew an ESXi certificate with an expiration date beyond that of the expiration date of the VMCA root certificate. For example, even if the ESXi vpxd.certmgmt.certs.daysValid advanced option is set to five years, and your VMCA root certificate is set to expire in two years, the ESXi certificate expiration date is limited to two years.
  • If the VMCA root certificate of the vCenter Server is nearing expiration, the same certificate is pushed to the ESXi host during the renewal process and hence the Machine certificate of the host remains unchanged

Resolution

Check the validity of the VMCA root certificate either from vSphere UI or from CLI.

From vSphere UI:

  • Click on Administration --> Certificates --> Certificate Management --> VMCA root certificate

From CLI:

  • Take SSH session to the vCenter Server
  • Navigate to the location: cat /var/lib/vmware/vmca/root.cer
  • Copy the root.cer, paste in a notepad and save the file with root.cer extension
  • Open the root.cer file and check the validity

If the root.cer validity is nearing the expiry date, perform the following steps to renew the VMCA root certificate:

1) Replace the VMCA root certificate either using option 4 or option 8 via certificate manager utility as per the KB: Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA

  • Option 4 - Regenerate a new VMCA Root Certificate and replace all certificates (Performs automatic roll back after failed certificate replacement)
  • Option 8- Reset all Certificates includes replacing VMCA root, Machine SSL and solution user certificates (Does not performs automatic roll back after failed certificate replacement)

NOTE: Replacing VMCA root certificate can be performed via vCert script as well.

2) Once the VMCA root certificate is renewed, perform the ESXi host certificate renewal from the vCenter Server UI

Powered by Wolken Software