By renewing VMware ESXi server certificate through vCenter Server you can safeguards adherence to security best practices. You renew ESXi certificate to continue securing connection for your vSphere environment, avert trust issues with vCenter Server, and guarantee compatibility for upgrades, as expired or untrusted certificates can lead to functionality failures, hosts disconnections, and errors when upgrading to newer and latest vSphere versions.
In one of the scenario, Upgrading from ESXi 7 to ESXi 8 through vLCM (vCenter Lifecycle Manager) I was getting error, due to SHA1 SSL certificates on ESX 7. Simple fix was to Renew and Refresh certificates on each ESXi servers. But task involved navigate through every ESXi server and renew and refresh. To automate I have written below simple PowerCLI script, which will go through all the ESXi servers in the connected vCenter server and one by one renew/refresh certificate on each.
To renew and refresh CA certificate from vCenter Portal, navigate and go to ESXi server, following go to Configure tab and under System select Certificate. Click MANAGE WITH VMCA > Renew and Refresh CA Certificates from dropdown.
More Useful Tools: PowerCLI GUI: One Click Renew and Refresh VMware VMCA ESXi Certificate
Below is the description what it does for each action (Renew and Refresh). But after few readings and testing script I got to know, Renew and Refresh both are same it invoke both action from same task.
Renew Retrieves a fresh signed certificate for the host from VMCA.
Refresh CA Certificates Pushes all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.
Download VMware PowerCLI Renew-ESXiCertificate.ps1 script here or it is also available github.com.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
<# .SYNOPSIS Renew ESXi certificates. .DESCRIPTION This script renews ESXi certificates for the specified vCenter server #Powered By https://vcloud-lab.com. .PARAMETER Server The server hostname or IP address. .PARAMETER User The username for authentication. .PARAMETER Password The password for authentication. .EXAMPLE .\Renew-ESXiCertificate.ps1 -Server 'marvel.vcloud-lab.com' -User '[email protected]' -Password 'Computer@123' #> param ( [Parameter(Mandatory = $false, HelpMessage = "Enter server hostname or IP address")] [string]$Server = 'marvel.vcloud-lab.com', [Parameter(Mandatory = $false, HelpMessage = "Enter username for authentication")] [string]$User = '[email protected]', [Parameter(Mandatory = $false, HelpMessage = "Enter password for authentication")] [string]$Password = 'Computer@123', [Parameter(Mandatory = $false)] [switch]$Help, [Parameter(Mandatory = $false)] [switch]$VerboseOutput ) if ($Help) { Get-Help $PSCommandPath return } if ($VerboseOutput) { $VerbosePreference = "Continue" Write-Verbose "Server: $Server" Write-Verbose "Username: $User" } try { Connect-VIServer -Server $Server -User $User -Password $Password -ErrorAction Stop } catch { Write-Host $error[0].exception.message -ForegroundColor Red return } $vmHosts = Get-VMHost foreach ($vmHost in $vmHosts) { if ($vmHost.ConnectionState -ne 'Connected') { continue } $dateBeforeRenew = (Get-View -Id $vmHost.ExtensionData.ConfigManager.CertificateManager).CertificateInfo $hostRef = $vmhost.ExtensionData.MoRef $certManager = Get-View -Id 'CertificateManager-certificateManager' $taskID = $certManager.CertMgrRefreshCertificates_Task(@($hostRef)) $taskInfo = Get-Task -Id $taskID.ToString() while ($taskInfo.State -eq 'Running') { $taskInfo = Get-Task -Id $taskID.ToString() } $dateAfterRenew = (Get-View -Id $vmHost.ExtensionData.ConfigManager.CertificateManager).CertificateInfo $taskInfo | Select-Object @{Name='ESXi';Expression={$vmHost.Name}}, State, StartTime, FinishTime, PercentComplete, @{Name='Before_Renew';Expression={$dateBeforeRenew.NotBefore}}, @{Name='After_Renew';Expression={$dateAfterRenew.NotBefore}} } # foreach ($vmHost in $vmHosts) # { # $hostParameters = New-Object VMware.Vim.ManagedObjectReference[] (1) # $hostParameters[0] = New-Object VMware.Vim.ManagedObjectReference # $hostParameters[0].Type = $vmHost.ExtensionData.MoRef.Type #'HostSystem' # $hostParameters[0].Value = $vmHost.ExtensionData.MoRef.Value #'host-3023' # $certificateManager = Get-View -Id 'CertificateManager-certificateManager' # $taskID = $certificateManager.CertMgrRefreshCertificates_Task($hostParameters) # $taskInfo = Get-Task -Id $taskID.ToString() # while (($taskInfo.State -ne 'Success') -or ($taskInfo.State -eq 'Error')) { # $taskInfo = Get-Task -Id $taskID.ToString() # } # } |
I checked more information for the methods to do the tasks, I can see only refresh method is available. After executing script, I compared certificate before and after dates , and I came to conclusion and confirmed single method works for both renew and refresh in this case. Below is the information table for each Method and Property.
| Name | Action | Definition |
|---|---|---|
| CertMgrRefreshCACertificatesAndCRLs | Method | void CertMgrRefreshCACertificatesAndCRLs(VMware.Vim.ManagedObjectReference[] host) |
| CertMgrRefreshCACertificatesAndCRLs_Task | Method | VMware.Vim.ManagedObjectReference CertMgrRefreshCACertificatesAndCRLs_Task(VMware.Vim.ManagedObjectReference[] host) |
| CertMgrRefreshCertificates | Method | void CertMgrRefreshCertificates(VMware.Vim.ManagedObjectReference[] host) |
| CertMgrRefreshCertificates_Task | Method | VMware.Vim.ManagedObjectReference CertMgrRefreshCertificates_Task(VMware.Vim.ManagedObjectReference[] host) |
| CertMgrRevokeCertificates | Method | void CertMgrRevokeCertificates(VMware.Vim.ManagedObjectReference[] host) |
| CertMgrRevokeCertificates_Task | Method | VMware.Vim.ManagedObjectReference CertMgrRevokeCertificates_Task(VMware.Vim.ManagedObjectReference[] host) |
| Equals | Method | bool Equals(System.Object obj) |
| GetHashCode | Method | int GetHashCode() |
| GetType | Method | type GetType() |
| SetViewData | Method | void SetViewData(VMware.Vim.ObjectContent objectContent, string[] properties) |
| ToString | Method | string ToString() |
| UpdateViewData | Method | void UpdateViewData(Params string[] properties), void UpdateViewData() |
| WaitForTask | Method | System.Object WaitForTask(VMware.Vim.ManagedObjectReference taskReference) |
| Client | Property | VMware.Vim.VimClient Client {get;} |
| MoRef | Property | VMware.Vim.ManagedObjectReference MoRef {get;} |
Below is the slightest different way to renew and refresh the certificate, but does the same task.
foreach ($vmHost in $vmHosts) { $hostParameters = New-Object VMware.Vim.ManagedObjectReference[] (1) $hostParameters[0] = New-Object VMware.Vim.ManagedObjectReference $hostParameters[0].Type = $vmHost.ExtensionData.MoRef.Type #'HostSystem' $hostParameters[0].Value = $vmHost.ExtensionData.MoRef.Value #'host-3023' $certificateManager = Get-View -Id 'CertificateManager-certificateManager' $taskID = $certificateManager.CertMgrRefreshCertificates_Task($hostParameters) $taskInfo = Get-Task -Id $taskID.ToString() while ($taskInfo.State -eq 'Running') { $taskInfo = Get-Task -Id $taskID.ToString() } }
Useful Articles
Powercli Get vCenter licenses information
Powercli Get vCenter assigned licenses report
PowerCLI one-liner Reporting, Chaning, Assigning and Removing licenses on ESXi
PowerCLI Get-VMhost The operation on computer failed The WinRM client cannot process the request
PowerCLI Add a SCSI Controller to a Virtual Machine
Powershell vCenter server Rest API create and assign tag and tagcategory
PowerCLI create, modify and assign tag and tagcategory
PowerCLI oneliner get the list of users and groups from vCenter SSO
PowerCLI Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration to set the value for the InvalidCertificateAction
PowerCLI Gather complete Virtual Distributed Switch (VDS) information from VMware vCenter
VMware PowerCLI Find vCenter server name of any inventory object
Create List or Remove VMware VM Snapshots with PowerCLi
How to PowerCLI VMware Snapshots Virtual Machines disks consolidation is needed
