If VMCA assigns certificates to your ESXi hosts (6.0 and later), you can renew those certificates from the vSphere Web Client. You can also refresh all certificates from the TRUSTED_ROOTS store associated with vCenter Server.

You can renew your certificates when they are about to expire, or if you want to provision the host with a new certificate for other reasons. If the certificate is already expired, you must disconnect the host and reconnect it.

By default, vCenter Server renews the certificates of a host with status Expired, Expiring immediately, or Expiring each time the host is added to the inventory, or reconnected.

1

Browse to the host in the vSphere Web Client inventory.

2

Click the Manage tab and click Settings.

3

Select System, and click Certificate.

You can view detailed information about the selected host's certificate.

4

Click Renew or Refresh CA Certificates.

Option

Description

Renew

Retrieves a fresh signed certificate for the host from VMCA.

Refresh CA Certificates

Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.

5

Click Yes to confirm.