Skip to content

Regenerate Standalone ESXi Host Certificate

On a freshly installed ESXi host, the following error is displayed:

The certificate assigned to this host is not valid yet. You should install a valid certificate.

The issue is caused by a system time that is set to the future during ESXi installation. Having not configured the correct time can also cause issues when trying to add the ESXi host to vCenter Server. To solve the issue, set the correct time (Best practice is to use an NTP server) and regenerate the certificate.

Fix timing issue:

  1. Open ESXi Host Client
  2. Navigate to Host > Manage > System > Time & date
  3. Press Edit NTP Settings
  4. Set the NTP startup policy to Start and stop with host
  5. and add an NTP Server (eg. pool.ntp.org)
  6. Press SAVE
  7. Navigate to Host > Manage > System > Services
  8. Highlight the NTP Daemon (ntpd) and press Start

Regenerate the certificate:

  1. Navigate to Host > Manage > System > Services
  2. Start the SSH Service
  3. Connect to the ESXi host using SSH and login as root
  4. Verify the current date and certificate start date.
    # date
    Mon Jul  2 19:19:58 UTC 2023
    
    # openssl s_client  -connect localhost:443 |grep notBefore
    verify error:num=9:certificate is not yet valid
    notBefore=Jul  3 23:03:15 2023 GMT
  5. Regenerate the Certificate
    # /sbin/generate-certificates
  6. Restart hostd
    # /etc/init.d/hostd restart

 

Note: This method should not be used when the ESXi host is already added to a vCenter Server. In that case, the certificate should be renewed using Right-Click ESXi Host in Inventory > Certificates > Renew Certificate

 

Leave a Reply

Your email address will not be published. Required fields are marked *