Change the Machine SSL Certificate of an ESXi Host

You can use PowerCLI to change the Machine SSL certificates of one or more ESXi hosts in your vSphere environment.

Prerequisites

  • Verify that the root certificate of the CA you are going to use is added to the trusted root store of vCenter Server and to the connected ESXi hosts.

Procedure

  1. Connect to the vCenter Server system.
    $vCenterConnection = Connect-VIServer vc1.example.com `
        -User 'My User' `
        -Password 'My Password'
  2. In the vCenter Server system, retrieve the setting for the ESXi host certificate management mode.
    $certModeSetting = Get-AdvancedSetting "vpxd.certmgmt.mode" -Entity $vCenterConnection
    $certModeSetting.Value
  3. Change the setting to custom.
    Set-AdvancedSetting $certModeSetting -Value "custom"
    
  4. For the new certificate management mode to take effect, reboot your vCenter Server system.
  5. Connect to the vCenter Server system.
    $vCenterConnection = Connect-VIServer vc1.example.com `
        -User 'My User' `
        -Password 'My Password'
  6. Set the ESXi host you want to manage to Maintenance mode.
    $vmhost = Get-VMHost 'MyESXiHost' `
    Set-VMHost -VMHost $vmhost -State Maintenance
    
  7. Generate a certificate signing request (CSR) for the ESXi host.
    $esxRequest = New-VIMachineCertificateSigningRequest `
        -VMHost $vmhost `
        -Country "US" `
        -Locality "San Francisco" `
        -Organization "My Company" `
        -OrganizationUnit "PowerCLI" `
        -StateOrProvince "California" `
        -CommonName <ESXi host's FQDN> or <ESXi host's IP address>
    Note:

    For CommonName, you must use either the ESXi host's FQDN or IP address. The common name must match the identifier you use to add the host to the vCenter Server system.

  8. Save the CSR to your system.
    $esxRequest.CertificateRequestPEM | Out-File "C:\Users\jdoe\Downloads\esx.csr.pem" -Force
    
  9. Send the CSR to the CA of your choice.
  10. Save the issued custom certificate to your machine.
  11. Create a variable with your issued custom certificate.
    $esxCertificatePem = Get-Content "C:\Users\jdoe\downloads\myesxcert.pem" -Raw 
    
  12. Remove the ESXi host from the vCenter Server system.
    Remove-VMHost $vmhost
    
  13. Disconnect from the vCenter Server system.
    Disconnect-VIServer $vCenterConnection
    
  14. Connect directly to the ESXi host.
    $esxConnection = Connect-VIServer $vmhost.Name `
        -User 'My User' `
        -Password 'My Password' `
        -Force
    
  15. Set the custom Machine SSL certificate to the ESXi host.
    $targetEsxHost = Get-VMHost $vmhost.Name
    Set-VIMachineCertificate -PemCertificate $esxCertificatePem -VMHost $targetEsxHost | Out-Null
    
  16. To apply the change, restart the ESXi host.
    Restart-VMHost $targetEsxHost
    
  17. Disconnect from the ESXi host.
    Disconnect-VIServer $esxConnection
    
  18. Connect to the vCenter Server system.
    $vCenterConnection = Connect-VIServer vc1.example.com `
        -User 'My User' `
        -Password 'My Password'
  19. Add the ESXi host to the vCenter Server system.
    $vmhost = Add-VMHost -Name <ESXi host's FQDN> or <ESXi host's IP address> `
        -Location (Get-Datacenter "My Datacenter")`
        -User "My User" `
        -Password "My Password"
    
  20. Set the ESXi host to the Connected mode.
    $vmhost = Set-VMHost -VMHost $vmhost -State Connected
    
  21. (Optional) Verify that the Machine SSL certificate of the ESXi host is changed.
    Get-VIMachineCertificate -VMHost $vmhost