ESXi hosts got disconnected from vSphere after replacing the default certificates with custom certificates on the hosts.
search cancel

ESXi hosts got disconnected from vSphere after replacing the default certificates with custom certificates on the hosts.

book

Article ID: 417709

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

ESXi hosts got disconnected from vSphere after replacing the default certificates with custom certificates on the hosts.

Attempted to reconnect the host, but the task failed with the error: "Authenticity of the host's SSL certificate is not verified."

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
VMware vSphere ESXi 7.0.x
VMware vSphere ESXi 8.0.x

Cause

The vpxd.certmgmt.mode parameter was set to vmca, which indicates that the vCenter Server acts as a Certificate Authority (CA) and issues certificates to ESXi hosts, but the hosts were using a custom CA signed certificate.

Resolution

  • Login to vSphere with the administrator account.
  • Selected the vCenter -> Configure -> Advanced settings.
  • Change the vpxd.certmgmt.mode from vmca to thumbprint for ESXi host to manage its own certificate.
  • Saved the setting and restarted vpxd service on the vCenter.
  • Put the ESXi host into Maintainace mode and disconnected the host.
  • Login to host using WinSCP and replaced the rui.crt and rui.key files with the custom signed certs files.
  • Rebooted the ESXi host.
  • Re-connected the host back to vSphere, a pop-up comes to fill the details.
  • Exit the host from Maintenance mode.

Additional Information

https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere-supervisor/7-0/change-the-certificate-mode.html 

Powered by Wolken Software