ESXi 6.0 SSL certificate replacement and management

Note: As a prerequisite, the ESXi 6.0 server must have been a fresh install, and not an upgrade from a previous version.

ESXi CA certificates

If you are replacing your ESXi certificates with CA certificates, the best method is to make your VMCA a subordinate CA and allow it to sign certificates for the ESXi host. Please see directions here for making your VMCA a subordinate CA. I had received the error “Start Time Error” shown below. To resolve this I added the ESXi host to the domain, and added the VMCA certificate as a Trusted Publisher certificate in AD, so I have added these steps to the process.
Note: I believe the new reason for the error below is because of a known issues where the VMCA signing certificate needs to be valid for 24 hours before you can generate CA certificates from the VMCA. It may not be necessary to join the domain or add the VMCA certificate as a Trusted Publisher certificate in AD.

2015-04-03T17:44:11.268-06:00 info vpxd[42704] [Originator@6876 sub=Default opID=11f0dfdc-f507-4805-9b3d-20918dcd2757-1411-ngc-e6] [VpxLRO] -- ERROR task-468 -- certificateManager -- vim.CertificateManager.refreshCertificates: vmodl.fault.SystemError:
--> Result:
--> (vmodl.fault.SystemError) {
-->    faultCause = (vmodl.MethodFault) null, 
-->    reason = "Unable to get signed certificate for host: esxi60-2.vcloud.local. Error: Start Time Error (70034).
--> ", 
-->    msg = ""
--> }
--> Args:
--> Arg host:
--> (ManagedObjectReference) [
-->    'vim.HostSystem:2306b49d-4fc5-4bdf-96e0-80a1da9b8633:host-17'
--> ]


Step 1. Join the ESXi host to the domain: Under the Host -> Manage -> Settings -> Authentication Services Select Join Domain



Step 4. Enter your domain and credentials.



Step 3. Using the vSphere Web Client, right click on your ESXi host, select Certificates -> Refresh CA Certificates. This will push all certificates from the TRUSTED_ROOTS store in the VECS to the host.



Step 3. Using the vSphere Web Client, right click on your ESXi host, select Certificates -> Renew Certificate



It’s as easy as that! If by chance you are using default certificates, you can renew them using the “Renew Certificates option” without making your VMCA a subordinate CA. You would want to do this if you changed the ESXi host name and you need to generate new certificates that match the new hostname, or if the certificate is about to expire. An important thing to note is that if the certificate is already expired, you can simply disconnect and remove the host from inventory, then reconnect it. vCenter Server will renew the certificate of a host added to inventory if the certificate is expired.


Posted by:

Sean Whitney


  1. Aaron -  April 28, 2015 - 8:03 am 96

    I hit the same “Start time error” after changing the vcsa cert out for a Msft CA sub cert. I had to wait 24 hours to join any hosts.

    VM tech support knew nothing of this error. Simply waiting 24 hours and the “problem” was resolved.

    “A general system error occurred: Unable to get signed certificate for host: esx-host.your-domain.pri. Error: Start Time Error (70034).”

    • Sean Whitney -  April 28, 2015 - 8:07 am 97

      Yeah, I’m working on getting it made aware. I believe we are working on something for a future release.

      • Hunter "The Doctor" Lemperle -  August 12, 2015 - 2:58 pm 225

        I didn’t run into this issue with 3 hour old certs.

        • Sean Whitney -  August 15, 2015 - 7:58 am 226

          I think it might be fixed in the newer versions that were released.

    • Sean Whitney -  September 11, 2015 - 9:41 pm 249

      Thanks, Erik!

  2. Denis Salamanca -  October 14, 2015 - 7:48 am 292

    Hey Sean, I think VMware has its KB wrong:

    It states how to replace the certificates in 5.x in a KB for 6.0, and its completely different on how its shown in this post.

    stalling and configuring the certificate on the ESXi host

    After the certificate is created, complete the installation and configuration of the certificate on the ESXi 5.x host:
    Log in to vCenter Server
    Put the host into Maintenance Mode.
    Navigate to the console of the server to enable SSH on the ESXi 5.x host.
    Press F2 to log in to the Direct Console User Interface (DCUI).
    Click Troubleshooting options > Enable SSH.
    Log in to the host and then navigate to /etc/vmware/ssl .
    Copy the files to a backup location, such as a VMFS volume.
    Log in to the host with WinSCP and navigate to the /etc/vmware/ssl directory.
    Delete the existing rui.crt and rui.key from the directory.
    Copy the newly created rui.crt and rui.key to the directory using Text Mode or ASCII mode to avoid the issue of special characters ( ^M) appearing in the certificate file.
    Type vi rui.crt to validate that there are no extra characters.

    Note: There should not be any erroneous ^M characters at the end of each line.

    Switch back to the DCUI of the host and select Troubleshooting Options > Restart Management Agents.
    When prompted press F11 to restart the agents. Wait until they are restarted.
    Press ESC several times until you logout of the DCUI.
    Exit the host from Maintenance Mode.
    When complete, the host is made available and successfully rejoins the cluster.

    Or this is another way of doing this?

    • Sean Whitney -  October 22, 2015 - 12:08 pm 307

      Hi Denis,

      You can do it either way. This is for CA certificates, if you want CA certificates and don’t have a subordinate CA setup then the KB is the process you will run through.


  3. Gowan Joslin -  December 1, 2015 - 4:15 pm 346

    How exactly did you get the CA certificate? I followed the steps you did above but receive a certificate error because my envrionment doesnt have the CA certificate trusted. I noticed in your screenshots you had downloaded the “Issued to: CA” and “Issued from: ” how did you retrieve that certificate?



    • Gowan Joslin -  December 1, 2015 - 4:21 pm 347

      “Issued to: CA” and “Issued from: your PSC”. Sorry, using brackets did some funny things in HTML.

  4. Manish Jha -  November 5, 2017 - 5:59 am 621

    Hi Sean,

    In my lab I have made my VMCA as subordinate CA to my Enterprise CA and I have replaced VMCA root certificates by selecting the option “Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates”

    Now to replace Esxi host certs, I just need to click on Refresh CA certs and then renew certs or do I need to follow the steps mentioned in VMware KB-2113926

  5. John -  June 21, 2018 - 10:27 am 650

    I have renewed the Machine SSL certificate successfully and noticed an expired alarm in the VC. Logged into the PSC and could see the old expired certificate. I removed this from the certificate store in the web interface but for some reason it is appearing again? How do I get it to remove? Until this is removed the alarm wont go? This is vSphere 6.0 embedded.


Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top