ESXi Host System Certificate Missing After Hardware Crash / Unexpected Reboot
search cancel

ESXi Host System Certificate Missing After Hardware Crash / Unexpected Reboot

book

Article ID: 428448

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After a hardware crash, blade reboot, or abrupt power event (for example Cisco UCS blade failure), one or more ESXi hosts show certificate-related issues.

You may observe:

  • Host shows disconnected / not responding in vCenter

  • System Certificate is missing on the ESXi host

  • Unable to connect host to vCenter

  • Certificate warnings when reconnecting host

  • /etc/vmware/ssl files missing or empty

  • Services depending on hostd/vpxa fail to start

  • Hostd log shows certificate errors similar to:

 
SSL Exception: Verification parameters: Unable to get local issuer certificate No certificate assigned to host

Environment

VMware vSphere ESXi 6.7 / 7.x / 8.x

Cause

During an unexpected reboot or storage corruption event, the ESXi host certificate store can become corrupted or deleted.

The following files may be lost:

/etc/vmware/ssl/rui.crt
/etc/vmware/ssl/rui.key


These files are the ESXi host system certificate used for authentication with vCenter Server (VMCA or custom CA).

Without them, the host cannot authenticate and appears missing or invalid in vCenter.

Impact

  • Host cannot properly communicate with vCenter
  • vCenter cannot manage VMs on affected host
  • Reconnection attempts fail
  • Host trust relationship is broken

Resolution

Regenerate the ESXi host certificate and re-establish trust with vCenter.

Step 1 — Enable SSH on the ESXi Host

From DCUI:

Troubleshooting Options → Enable SSH

Connect via SSH or console.

Step 2 — Backup Existing SSL Folder (If Present)
mkdir /tmp/sslbackup
cp -r /etc/vmware/ssl/* /tmp/sslbackup/

Step 3 — Remove Corrupted Certificates
rm -f /etc/vmware/ssl/rui.crt
rm -f /etc/vmware/ssl/rui.key

Step 4 — Regenerate Self-Signed Host Certificate
/sbin/generate-certificates


Verify files recreated:

ls -l /etc/vmware/ssl/


You should see:

rui.crt
rui.key

Step 5 — Restart Management Agents
/etc/init.d/hostd restart
/etc/init.d/vpxa restart


OR

services.sh restart

Step 6 — Reconnect Host in vCenter

1. Login to vCenter

2. Right-click Host → Connect

3. Accept new certificate thumbprint

If Host Still Fails to Connect

Remove and re-add the host to vCenter:

No VM data loss occurs — VMs remain on datastore.

Steps:

Put host in Maintenance Mode (if possible)

Remove from inventory

Add Host → provide root credentials

Accept certificate

Optional — Force VMCA Signed Certificate

If environment uses VMCA mode:

1. Disconnect host from vCenter

2. Regenerate certificates (steps above)

3. Reconnect host

4. vCenter automatically replaces with VMCA signed certificate

Preventive Recommendation

Hardware crashes may corrupt ramdisk-stored configuration files.
Ensure:

  • ESXi config backup enabled
  • vCenter Host Profiles configured
  • Regular backup using:

vim-cmd hostsvc/firmware/sync_config
vim-cmd hostsvc/firmware/backup_config

Additional Information

This procedure does not affect virtual machines or datastores.
Only the management trust relationship is rebuilt.

Related Issues

  • Host shows disconnected after reboot
  • Cannot verify host identity
  • Certificate thumbprint mismatch
  • vpxa registration failure

 

Powered by Wolken Software