VMware vSphere

 View Only

 VCSA certs expired - cannot renew

Ric Turner's profile image
Ric Turner posted Aug 13, 2025 07:43 AM

I am getting a 'no healthy upstream' when trying to connect to VCenter server. After Googling, I believe this is because my certificates have expired. I have tried following the video here:

https://www.youtube.com/watch?v=dCFoNfRFOrQ

and also this document:

https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/vsphere-security-7-0/securing-esxi-hosts/certificate-management-for-esxi-hosts/renew-esxi-certificates.html

But it seems to get to 85% and then times-out/rolls back. When I log into the VCSA as 'root' I can see a lot of my services are also stopped.

How can I get my certificates renewed/get back into VSphere client?

Matthias Kaufmann's profile image
Matthias Kaufmann posted Aug 14, 2025 02:29 AM

try this: Replace certificates on vCenter server using the Fixcerts script or vCert - expired certificate replacement script (vCert is newer)

Ric Turner's profile image
Ric Turner posted Aug 14, 2025 04:45 AM

Hi Matthias. Sorry but these refer to running python scripts - how do I do that on my VCSA? I am connecting to it via putty on my Windows machine but I don't know how to upload the python scripts and run them?

Matthias Kaufmann's profile image
Matthias Kaufmann posted Aug 14, 2025 04:56 AM

use something like WinSCP or similar to upload the script to VCSA. Or just create a support case and let them do it for you.

Syed Salman Hafiz's profile image
Broadcom Employee Syed Salman Hafiz posted Aug 15, 2025 09:06 AM

Right, as @Matthias Kaufmann mentioned, upload the vCert script to the VCSA using WinSCP and choose "Manage Certificates."

  • The vCert script is a menu-driven tool meant to provide management capability for most vCenter Server certificate-related operations.

  • This option replaces the Machine SSL certificate in VECS and updates the SSL trust anchors for the current node. A VMCA-signed certificate or custom CA-signed certificate can be used.
    • Custom CA-signed certificate - There is an option to generate a private key and Certificate Signing Request or import the signed certificate and key. If the presented CA-signed certificate does not include a complete CA chain then the script will prompt for a file containing the complete chain.