Starting with vCenter Server 8.0 Update 3h and VMware Cloud Foundation (VCF) 9.0.2, the automatic renewal feature for Machine SSL and ESXi SSL certificates has been introduced.
This article addresses the following questions regarding the behavior of this new automatic renewal feature:

• The difference between auto-renew configured on VCF Ops (Fleet Management) and through the native functionality in vCenter Server.
• How many days before the Machine SSL certificate's expiration date/time is the pre-expiration notification alarm triggered?
• Is the automatic renewal of SSL certificates (Machine, ESXi) triggered by the SSL certificate's expiration date/time or the date/time the pre-expiration notification alarm is triggered?
• Are vCenter services automatically restarted during the SSL certificate automatic renewal?

VMware vCenter Server 8.0 Update 3h
VMware Cloud Foundation 9.0.2

VCF 9.0.2 (Configured in Fleet Management):

• Manage certificates in VCF Ops:  It is recommended to configure your certificate authority in VCF Ops under Fleet Management > Certificates
• VMware Cloud Foundation supports automatic renewal of Transport Layer Security (TLS) certificates for components that have VMCA, Microsoft CA, Open SSL, or self-signed certificates and support non-disruptive certificate updates.
• Automatic renewal happens 60 days prior to certificate expiration.
• Note on ESXi host certificates:  Upon configuring an ESXi host for a CA signed certificate through Fleet Management for the first time, the vCenter server vpxd.certmgmt.mode advanced setting will be switched to 'custom'.  The implications of this are that you must apply a CA signed certificate to new hosts before commissioning the host into inventory.

VVF 9.0.2/vCenter 8.0U3H (Configured in vCenter Server):

• Pre-expiration notification alarm: By default, the certificate pre-expiration notification alarm is triggered 30 days before the certificate expires.
• Renewal Timing:
  • ESXi SSL Certificate: Automatically renewed 10 days before the expiration date/time. This 10-day threshold can be modified using the parameter vpxd.certmgmt.certs.autoRenewThreshold.
  • vCenter Machine SSL Certificate: Automatically renewed 5 days before the expiration date/time. This threshold is fixed in the implementation and cannot be changed.
• Behavior regarding service restarts: vCenter services are not restarted during the automatic certificate renewal process. The certificate is replaced without requiring a service restart.

VCF 9.0.2 (Configured in Fleet Management):

• Set Up Automatic Renewal of Certificates in VMware Cloud Foundation

VVF 9.0.2/vCenter 8.0U3H (Configured in vCenter Server):

• Automatic renewal does not function if the VMCA certificate mode is set to "custom". To enable this feature, the mode must be changed to "vmca".
• CertificateStatusAlarm - There are certificate that expired or about to expire/Certificate Status Change Alarm Triggered on VMware vCenter Server
• Related Release Notes: For more details regarding the addition of this feature, please refer to the following release notes.
  • VMware Cloud Foundation 9.0.2.0 Release Notes
  • VMware vCenter 8.0 Update 3h Release Notes