When a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. Most of the default values are well suited for many situations, but company-specific information can be changed.
You can change many of the default settings using the vSphere Client. Consider changing the organization, and location information. See Change ESXi Certificate Default Settings.
Parameter | Default Value | Advanced Option |
---|---|---|
Key Size | 2048 | N.A. |
Key Algorithm | RSA | N.A. |
Certificate Signature Algorithm | sha256WithRSAEncryption | N.A. |
Common Name | Name of the host if the host was added to vCenter Server by host name. IP address of the host if the host was added to vCenter Server by IP address. |
N.A. |
Country | US | vpxd.certmgmt.certs.cn.country |
Email address | vmca@vmware.com | vpxd.certmgmt.certs.cn.email |
Locality (City) | Palo Alto | vpxd.certmgmt.certs.cn.localityName |
Organization Unit Name | VMware Engineering | vpxd.certmgmt.certs.cn.organizationalUnitName |
Organization Name | VMware | vpxd.certmgmt.certs.cn.organizationName |
State or province | California | vpxd.certmgmt.certs.cn.state |
Number of days the certificate is valid. | 1825 | vpxd.certmgmt.certs.daysValid |
Hard threshold for the certificate expiration. vCenter Server raises a red alarm when this threshold is reached. | 30 days | vpxd.certmgmt.certs.hardThreshold |
Poll interval for vCenter Server certificate validity checks. | 5 days | vpxd.certmgmt.certs.pollIntervalDays |
Soft threshold for the certificate expiration. vCenter Server raises an event when this threshold is reached. | 240 days | vpxd.certmgmt.certs.softThreshold |
Mode that vCenter Server users to determine whether existing certificates are replaced. Change this mode to retain custom certificates during upgrade. See ESXi Host Upgrades and Certificates. | vmca You can also specify thumbprint or custom. See Change the ESXi Certificate Mode. |
vpxd.certmgmt.mode |
Change ESXi Certificate Default Settings
When an ESXi host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. You can change some of the default settings in the CSR using the vCenter Server Advanced Settings in the vSphere Client.
See the previous table for a list of default settings. Some of the defaults cannot be changed.
Procedure
What to do next
Changes to certificate metadata only affect new certificates. If you want to change the certificates of hosts that are already managed by the vCenter Server system, you can disconnect and reconnect the hosts or renew the certificates.