When a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. Most of the default values are well suited for many situations, but company-specific information can be changed.

You can change many of the default settings using the vSphere Client. Consider changing the organization, and location information. See Change ESXi Certificate Default Settings.

Table 1. ESXi CSR Settings
Parameter Default Value Advanced Option
Key Size 2048 N.A.
Key Algorithm RSA N.A.
Certificate Signature Algorithm sha256WithRSAEncryption N.A.
Common Name Name of the host if the host was added to vCenter Server by host name.

IP address of the host if the host was added to vCenter Server by IP address.

N.A.
Country US vpxd.certmgmt.certs.cn.country
Email address vmca@vmware.com vpxd.certmgmt.certs.cn.email
Locality (City) Palo Alto vpxd.certmgmt.certs.cn.localityName
Organization Unit Name VMware Engineering vpxd.certmgmt.certs.cn.organizationalUnitName
Organization Name VMware vpxd.certmgmt.certs.cn.organizationName
State or province California vpxd.certmgmt.certs.cn.state
Number of days the certificate is valid. 1825 vpxd.certmgmt.certs.daysValid
Hard threshold for the certificate expiration. vCenter Server raises a red alarm when this threshold is reached. 30 days vpxd.certmgmt.certs.hardThreshold
Poll interval for vCenter Server certificate validity checks. 5 days vpxd.certmgmt.certs.pollIntervalDays
Soft threshold for the certificate expiration. vCenter Server raises an event when this threshold is reached. 240 days vpxd.certmgmt.certs.softThreshold
Mode that vCenter Server users to determine whether existing certificates are replaced. Change this mode to retain custom certificates during upgrade. See ESXi Host Upgrades and Certificates. vmca

You can also specify thumbprint or custom. See Change the ESXi Certificate Mode.

vpxd.certmgmt.mode

Change ESXi Certificate Default Settings

When an ESXi host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. You can change some of the default settings in the CSR using the vCenter Server Advanced Settings in the vSphere Client.

See the previous table for a list of default settings. Some of the defaults cannot be changed.

Procedure

  1. In the vSphere Client, select the vCenter Server system that manages the hosts.
  2. Click Configure, and click Advanced Settings.
  3. Click Edit Settings.
  4. Click the Filter icon in the Name column, and in the Filter box, enter vpxd.certmgmt to display only certificate management parameters.
  5. Change the value of the existing parameters to follow your company policy and click Save.
    The next time you add a host to vCenter Server, the new settings are used in the CSR that vCenter Server sends to VMCA and in the certificate that is assigned to the host.

What to do next

Changes to certificate metadata only affect new certificates. If you want to change the certificates of hosts that are already managed by the vCenter Server system, you can disconnect and reconnect the hosts or renew the certificates.