ESXi Host Certificate Details Invisible or Greyed Out in vCenter Server
search cancel

ESXi Host Certificate Details Invisible or Greyed Out in vCenter Server

book

Article ID: 428153

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When navigating to an ESXi host within the vSphere Client, administrators may observe the following symptoms:

  • The Certificate section under the host's Manage or Configure tab is empty or shows "No data."

  • Certificate details such as Subject, Issuer, and Expiration Date are invisible.

  • Action buttons such as Renew or Refresh CA Certificates are greyed out or missing.

  • The host is confirmed to be connected and "Normal" in vCenter, but certificate management tasks fail.

The host certificate is verified to be central managed by VMCA.

Environment

VMware vCenter Server

Cause

This issue is typically caused by the vCenter Server's certificate management mode being set to "thumbprint" in the Advanced Settings.

Resolution

To restore visibility, the vCenter configuration must be moved to either vmca or custom mode. Thumbprint mode is not recommended as a permanent solution for certificate related issues, and should only be used as a temporary fallback while troubleshooting.

Prerequisites

  1. Ensure all ESXi hosts have certificates that are either signed by the VMCA or your Corporate CA.
  2. Take a snapshot of the vCenter Server Appliance (vCSA). Refer Snapshot Best practices for vCenter Server Virtual Machines before you take snapshot of vCenter virtual machine. 

Procedure

  1. Log in to the vSphere Client.
  2. Select the vCenter Server > Configure > Advanced Settings
  3. Click Edit Settings and filter for vpxd.certmgmt.mode
  4. Update the value based on your architecture:
    • Set to vmca if using VMware certificates.
    • Set to custom if you are manually uploading your own CA-signed certificates.
  5. Click Save.
  6. Restart the vCenter Service (vpxd):
    • SSH into the vCSA and run:
    • service-control --restart vpxd
  7. Validate ESXi Host Certificate Details: If host details do not appear immediately, right-click the host and select Connection > Reconnect.

Additional Information

Change the ESX Certificate Mode

In vSphere, the vpxd.certmgmt.mode parameter determines how vCenter interacts with host certificates:

  • vmca (Default): vCenter manages and issues certificates via the VMware Certificate Authority

  • Custom Mode: The administrator manually installs certificates signed by an external or Corporate Certificate Authority (CA) on both vCenter and ESXi hosts

  • thumbprint: vCenter ignores CA validation and only checks the certificate's hash. In this mode, vCenter stops querying certificate metadata, leading to the "invisible" details and disabled UI buttons

Powered by Wolken Software