When logging into my Lab vCenter the other day, I noticed one of my lab hosts showed an red “ESXi Host Certificate Status” alarm. That was the case because the host was 5 years connected to vCenter and therefore the hosts certificate was expired.

Luckily fixing the Host Certificate Status alarm is quite easy since the vSphere 6.x days. Select the host and go to “Configure > System > Certificate” and use the “Renew” button.

Renew ESXi Certificate

By using the “Renew” option, vCenter generates and and applies a new certificate to the host. During the process the host will briefly disconnected from vCenter. In my case about a second.

Re-generated ESXi Host Certificate

As can be seen it the latest screenshot, the certificate is renewed and lasts for another 5 years.

Back in the days

In the vSphere 5.x and earliers days, the certificated could be generated in two ways:

  • Disconnect the host from vCenter an re-connect
  • On the (SSH) console of ESXi hosts re-create the certificates
    • Rename the certificate file and private key file
    • Execute sbin/generate-certificates
    • Restart ESXi Server management agents by executing /sbin/services.sh restart

Useful links

vSphere Documentation: Renew or Refresh ESXi Certificates


Petar Brcic · December 6, 2023 at 09:32

Great Daniel!
Important info regarding the issue that admins are not aware at the beginning.
And short effective operational procedure!

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *