One of the way to manage esxi certificate properties is using vCenter server, This is good option where you don't have generate a certificate for every indivisual Esxi. You just need to configure valid SSL certificate once on the vCenter VMCA. Improving Esxi security by using vCenter server can ensure that all the esxi servers are compliant on SSL certificate configuration. To configure the settings, login to vsphere client, go to vCenter server >> Configure >> Advanced Settings >> EDIT SETTINGS.
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
Managing ESXi SSL certificate properties from vCenter server
This opens Edit Advanced vCenter Server Settings box, On the name header click on filter icon and search for certmgmt. Replace the settings as per your organization. There are multiple settings, scroll them also go to another page. Below table is to understand certificate related settings with their description.
| Name | Summary |
| vpxd.certmgmt.certs.cn.country | The Country Name to be included as part of the ESXi host's certificate |
| vpxd.certmgmt.certs.cn.email | The e-mail address to be included as part of the ESXi host's certificate |
| vpxd.certmgmt.certs.cn.localityName | The Locality Name, e.g. city name, to be included as part of the ESXi host's certificate |
| vpxd.certmgmt.certs.cn.organizationalUnitName | The Organizational Unit Name to be included as part of the ESXi host's certificate |
| vpxd.certmgmt.certs.cn.organizationName | The Organization Name to be included as part of the ESXi host's certificate |
| vpxd.certmgmt.certs.cn.state | The State Name or Province Name to be included as part of the ESXi host's certificate |
| vpxd.certmgmt.certs.daysValid | The ESXi host's certificate validity period in days. |
| vpxd.certmgmt.certs.hardThreshold | The ESXi host's certificate management hard threshold, in days. When this threshold is reached, the vCenter Server system displays red alarms about the impending certificate expiration. |
| vpxd.certmgmt.certs.minutesBefore | |
| vpxd.certmgmt.certs.pollIntervalDays | The interval (in days) between ESXi host certificate validity checks by the vCenter Server system |
| vpxd.certmgmt.certs.softThreshold | The ESXi host's certificate management soft threshold, in days. When this threshold is reached, the vCenter Server system displays information about the impending certificate expiration. |
| vpxd.certmgmt.mode | The ESXi host's certificate management mode. Possible values are vmca, custom, thumbprint. |
Once vCenter server's certificate related advanced settings are configured, go to each esxi server's >> Configure tab >> Certificate option. Here check the certificate subject, information related email address, orgnizationunitname, location and related information is the default one respective to VMware. First Renew certificate for the esxi host and then Refresh CA certificates. Press yes to confirm.
Once certificate is renewed and refreshed, verify the certificate subject now. it will be pertaining to I filled up certificate data in advanced settings of vCenter server.
Useful Articles
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
Configure syslog on VMware ESXi hosts: VMware best practices
Configure SNMP on ESXi Server GUI :Vmware Best Practices
