faziz
Contributor
Contributor

ESXI certificate

I have all esxi on vcenter show "ESXi Host Certificate Status", I checked will expire in 2 weeks, I found KB for this issue

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-ECFD1A29-0534-411...

So I just need to confirm on each esxi on vcenter i need to go to esxi---configure---certificate then do renew then do refresh, or renew option enough? 

Do i need to change any thing before that or above steps enough?

0 Kudos
5 Replies
Charles69
Contributor
Contributor

VMware use standard X.509 version 3 certificates to encrypt session information sent over Secure Socket Layer protocol connections between the client and the server. If you want to replace default certificates for vCenter Server and ESXi , the certificates you obtain for your servers must be signed and must conform to the Privacy Enhanced Mail (PEM) key format. The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4,096 bits. The recommended length is 2,048 bits.

DMVNow

0 Kudos
faziz
Contributor
Contributor

Hi

I shared KB to renew the certificate, could you please check if I can do that, I see you explain more details,  I do not want to replace certificate, my current certificate will expire in 2 weeks, so can i use steps on KB to refresh? my certificate mode is VCMA

0 Kudos
NFerrar
Enthusiast
Enthusiast

Correct - just do the renew part (unless your VCSA certs (MACHINE_SSL_CERT and Trusted_Root) are expiring as well, not just the ESXi hosts)

0 Kudos
anilspp
Enthusiast
Enthusiast

Thanks for sharing.

0 Kudos
faziz
Contributor
Contributor

Thanks for your input;

Could you please help me how I can check/verify (MACHINE_SSL_CERT and Trusted_Root) expiration date ?

0 Kudos