An ESXi host is marked with an alarm stating "ESXi Host Certificate Status" when the host certificate is nearing or past its expiration date.

vCenter Server monitors all the certificates within the VMware Endpoint Certificate Store. It triggers a Certificate Status alarm within the vCenter Server if any certificate is close to its expiration date.

Renew the affected ESXi Host's SSL certificate.

For Self-Signed Certificates

Renew an ESXi host certificate using the vSphere UI directly to a host or on the vCenter Server:

1. Browse to the host in the vSphere Client inventory.
2. Click Configure.
3. Under System, click Certificate. You can view detailed information about the selected host's certificate.
4. Depending on the vCenter Server version:
   • vCenter Server 8.0 Update 3 and later
     • Select MANAGE WITH VMCA using the buttons in the upper right corner, and then click Renew or Refresh CA Certificates.
   • vCenter versions prior to 8.0 Update 3
     • The MANAGE WITH VMCA option is not present. You can proceed directly by clicking Renew or Refresh CA Certificates.
       
       
   • Reference
     • Renew: Retrieves a fresh signed certificate for the host from VMCA.
     • Refresh CA Certificates: Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.
5. Click Yes to confirm.

If you are unable to manage the affected ESXi host from vCenter Server vSphere UI, renew the ESXi host certificate using SSH session:

1. In a web browser, log in to the ESXi host using the VMware Host Client.
2. In the Actions menu, click Services > Enable Secure Shell (SSH).
3. Log in to the ESXi host using an SSH client such as Putty.
4. Regenerate the self-signed certificate by executing the following command:

   /sbin/generate-certificates

5. Restart the hostd and vpxa services by executing the following command:

   /etc/init.d/hostd restart && /etc/init.d/vpxa restart

6. Log back into the VMware Host Client and click Services > Disable Secure Shell (SSH) from the Actions menu.
7. Repeat the above steps for all remaining hosts.

For Custom Certificates

Refer to KB Configuring CA signed certificates for ESXi hosts.

Prerequisites before refreshing/renewing the ESXi SSL certificates from vCenter server vSphere UI:

• Ensure the VMCA Root certificate is not expiring soon as a root certificate cannot issue a certificate past its own expiration date.
  • To view this go to:
    vCenter → Administration → Certificate Management → Trusted Root
    
    Note: you may need to be signed in as [email protected] to view this page.
• The ESXi hosts are connected to the vCenter Server.
• Ensure time synchronization between the vCenter Server system and the ESXi hosts.
• DNS resolution works between the vCenter Server system and the ESXi hosts.
  • The vCenter Server system's MACHINE_SSL_CERT and TRUSTED_ROOT certificates are valid and have not expired. See the knowledge base article at Manually reviewing certificates in VMware Endpoint Certificate Store for vSphere 6.x and 7.x.
• The ESXi hosts are NOT in maintenance mode.

For more information, see Certificate Management for ESXi Hosts.