On a freshly installed ESXi host, the following error is displayed:
The certificate assigned to this host is not valid yet. You should install a valid certificate.
The issue is caused by a system time that is set to the future during ESXi installation. Having not configured the correct time can also cause issues when trying to add the ESXi host to vCenter Server. To solve the issue, set the correct time (Best practice is to use an NTP server) and regenerate the certificate.
Fix timing issue:
- Open ESXi Host Client
- Navigate to Host > Manage > System > Time & date
- Press Edit NTP Settings
- Set the NTP startup policy to Start and stop with host
- and add an NTP Server (eg. pool.ntp.org)
- Press SAVE
- Navigate to Host > Manage > System > Services
- Highlight the NTP Daemon (ntpd) and press Start
Regenerate the certificate:
- Navigate to Host > Manage > System > Services
- Start the SSH Service
- Connect to the ESXi host using SSH and login as root
- Verify the current date and certificate start date.
# date Mon Jul 2 19:19:58 UTC 2023 # openssl s_client -connect localhost:443 |grep notBefore verify error:num=9:certificate is not yet valid notBefore=Jul 3 23:03:15 2023 GMT
- Regenerate the Certificate
# /sbin/generate-certificates
- Restart hostd
# /etc/init.d/hostd restart
Note: This method should not be used when the ESXi host is already added to a vCenter Server. In that case, the certificate should be renewed using Right-Click ESXi Host in Inventory > Certificates > Renew Certificate