Starting from vSphere 6.0, VMCA (VMware Certificate Authority) provisions each new ESXi host with certificates when they are added to the vCenter Server system.
In contrast to vCenter Server Certificates, ESXi certificates are not stored in VECS (VMware Endpoint Certificate Store). Instead they are stored locally on each host in /etc/vmware/ssl
An upgrade to ESXi 6.0 replaces existing thumbprint certificates with VMCA signed certificates, custom certificates are retained. However if you select renew certificates in vSphere web client, VMCA pushes a fresh VMCA signed certificate to the host and overwrites any existing certificate even a custom certificate.
To prevent overwriting custom certificate, you can change the certificate mode from vSphere Web Client. There can be three kind of certificate mode in vSphere 6.0:
- Thumbprint mode: To accommodate any legacy host
- VMCA Mode: Which uses VMCA as a root CA
- Custom Mode: To use only third party certificate
To set certificate mode in vSphere web client, go to vCenter Server – Manage – Settings – Advance Settings – click edit
In the filter box, enter “certm” to display only certificate management keys.
Change the value of “vpxd.certmgmtmode” to custom, if you intend to manage you own certificate and thumbprint if you want to use thumbprint mode and click OK.
Restart the vCenter server service. The mode always apply to all the host managed by vCenter server system that uses that mode.
Saurav Issar 
One thought on “ESXi Certificates in vSphere 6”