This article provides information on the following FAQs regarding ESXi host certificates:

• Support for renewing certificates via vCenter Server on ESXi hosts with Lockdown Mode enabled.
• The impact of renewing ESXi host certificates in a vCenter High Availability (VCHA) environment.

vSphere 8.0.x

Lockdown Mode restricts direct access to the ESXi host (such as SSH or DCUI) but permits management operations initiated by the managing vCenter Server via the management agent (vpxa).

You can successfully renew ESXi host certificates from vCenter Server regardless of whether Lockdown Mode is enabled or disabled. The operation follows the standard management path and does not require the host to be taken out of Lockdown Mode.

1. Log in to the vSphere Client.
2. Navigate to the ESXi host in the inventory.
3. Click the Configure tab.
4. Under System, select Certificate.
5. Click Renew or Refresh CA Certificates.

Note: This operation has no impact on vCenter HA (VCHA) functionality. While no service disruption is expected, it is recommended to perform these steps during a scheduled maintenance window to mitigate risks from unforeseen operational errors.

Configuring and Managing Lockdown Mode on ESXi Hosts

Failed to update ESXi certificate in vCenter

Japanese KB: ロックダウン モード有効時に vCenter Server から ESXi ホストの証明書を更新する