ESXi Certificates in vSphere 6

Starting from vSphere 6.0, VMCA (VMware Certificate Authority) provisions each new ESXi host with certificates when they are added to the vCenter Server system.1.png

In contrast to vCenter Server Certificates, ESXi certificates are not stored in VECS (VMware Endpoint Certificate Store). Instead they are stored locally on each host in /etc/vmware/ssl


An upgrade to ESXi 6.0 replaces existing thumbprint certificates with VMCA signed certificates, custom certificates are retained. However if you select renew certificates in vSphere web client, VMCA pushes a fresh VMCA signed certificate to the host and overwrites any existing certificate even a custom certificate.2.png

To prevent overwriting custom certificate, you can change the certificate mode from vSphere Web Client. There can be three kind of certificate mode in vSphere 6.0:

  • Thumbprint mode: To accommodate any legacy host
  • VMCA Mode: Which uses VMCA as a root CA
  • Custom Mode: To use only third party certificate


To set certificate mode in vSphere web client, go to vCenter Server – Manage – Settings – Advance Settings – click edit3.png

In the filter box, enter “certm” to display only certificate management keys.4.png


Change the value of “vpxd.certmgmtmode” to custom, if you intend to manage you own certificate and thumbprint if you want to use thumbprint mode and click OK.

Restart the vCenter server service. The mode always apply to all the host managed by vCenter server system that uses that mode.

One thought on “ESXi Certificates in vSphere 6

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s