In VMware vSphere (including VCF and VVF environments), the vCenter Server reports that the host certificate mode is set to Thumbprint. This is a legacy state where trust is established via a unique hash rather than a full Certificate Authority (CA) chain. This causes issues such as:

• Security warnings regarding deprecated certificate management.
• Lack of automated certificate renewal for ESXi hosts.
• Requirement to manually "Accept" thumbprints when adding or reconnecting hosts.
• Potential integration failures with VMware Cloud Foundation (VCF) or NSX.

VMware vSphere

VMware Cloud Foundation

The vCenter Server is configured with vpxd.certmgmt.mode set to thumbprint. This mode bypasses standard PKI validation, allowing expired or untrusted certificates to persist. Modern vSphere security standards require VMCA or Custom modes to enforce certificate chain validation and expiration monitoring.

To resolve this issue, transition the environment to VMCA mode:

Change Certificate Mode:

1. Log in to the vSphere Client.
2. Select the vCenter Server in the inventory.
3. Go to Configure > Settings > Advanced Settings.
4. Click Edit Settings and search for vpxd.certmgmt.mode.
5. Change the value from thumbprint to vmca.
6. Click Save.

Renew ESXi Host Certificates:

1. Navigate to the Hosts and Clusters view.
2. Right-click each ESXi host.
3. Select Certificates > Renew Certificate.
4. Confirm the action. This forces vCenter to issue a new certificate signed by the VMware Certificate Authority (VMCA).