When using default "vmca" certificate mode, vCenter Server pushes its own Trusted Root certificates ("TRUSTED_ROOTS") to the ESXi Certificate Store. However, each ESXi host may have additional certificates added manually as well. If the ESXi Certificate Store contains a certificate with a weak digital signature (SHA1), then the certificate needs to be removed, and can be done using "esxcli".

vSphere ESXi 7.0

vSphere ESXi 8.0

vSphere 8 does not support SHA1 certificate algorithm. Any certs on the VCSA using SHA1 need to be removed before upgrade.

The currently configured certificates can be listed with the following command.

esxcli system security certificatestore list

Certificates can be removed with the following command.

esxcli system security certificatestore remove

OR

esxcli system security certificatestore remove --filename=<local_file>

Note: If this doesn't work, consider editing the castore.pem file in /etc/vmware/ssl directory and removing the SHA1 certificate directly and save it then it should be removed.

Note that esxcli commands can also be accessed using PowerCLI.

Please see "Upgrading vCenter Server or ESXi 8.0 fails during precheck due to a weak certificate signature algorithm" for more details.