The VMCA, in vSphere 6, provisions a signed certificate to each ESXi host. The certificate specifies the VMCA as the root certificate authority by default. The certificate is provisioned when the ESXi host is added to vCenter Server, or installed or upgraded to ESXi 6.0 or later.
If the VMCA is a subordinate certificate authority, it is allowed to sign certificates for the ESXi hosts. This can be done using the vSphere Web Client. To do so, log into the vSphere Web Client and navigate to the Hosts and Cluster inventory view. Right-click on the ESXi host, and select Certificates | Renew Certificate.
This will bring up the Renew Certificate dialog; click on the Yes button.
This can also be done without making the VMCA a subordinate certificate authority. This process would need to be before the certificate expires or if the hostname is changed. However, if the certificate has already expired, just disconnect and remove the ESXi host from the inventory and then reconnect it. The vCenter Server will renew an expired certificate when a host is added to the inventory.
By default, the ESXi host uses the automatically generated certificates that were created at installation. If required by security policy, these certificates may be replaced.
To begin this process:
/etc/vmware/ssl
directory and use the ls
command to view the contents of this location. The .crt
file and the .key
file will be listed.
.crt
and .key
file in case of any issues. To rename those files, use the mv
command, as shown:mv rui.crt old.rui.crtmv rui.key old.rui.key
/etc/vmware/ssl
. Any file transfer application that uses an HTTPS session may be used, however, the following screenshot demonstrates using WinSCP.rui.crt
and rui.key
(respectively) then rename the files to match the aforementioned names.
/etc/vmware/ssl
directory, restart the ESXi host. (Or the host could be put into maintenance mode, the new certificates installed and the management agents restarted).3.145.54.7