When adding a host to VMware vCenter Server, the VMware Certificate Authority pre-dates VMware vSphere ESXi certificates by 24 hours to avoid time synchronization issues.
For example :
- Current time on vCenter is 10-Jan-2020 10:00
- VMCA Root Cert is Valid from 10-Jan-2020 07:00
- While trying to add the ESXi host to the vCenter Server, CSR will be generated with Start Date as "Current Date - 1 day" which means 09-Jan-2020 10:00:00
- Here, VMCA is valid from 10-Jan-2020 07:00 and it got a request to Sign Certificate for a previous date 09-Jan-2020 10:00 which is not valid and operation fails
- In this situation, advanced setting "vpxd.certmgmt.certs.minutesBefore" helps to customize the start date of ESXi certificate instead of default 24 hours
To change the vpxd.certmgmt.certs.minutesBefore to 10:
- Connect to the vCenter Server using the vSphere Client and administrator credentials.
- Select Administration > vCenter Server Settings to display the vCenter Server Settings dialog box.
- In the settings list, select Advanced Settings.
- In the Key field, type a key.
- In the Key field, enter this key:
vpxd.certmgmt.certs.minutesBefore
- In the Value field, enter:
10
- Click Add.
- Click OK.
To work around this issue if you do not want to upgrade, use one of these options:
- Wait 24 hours after replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate before attempting to add additional hosts to vCenter Server.
- Join hosts to VMware vCenter Server prior to replacing the VMware Certificate Authority certificate with an enterprise subordinate certificate.
Note: VMware vSphere ESXi hosts added to VMware vCenter Server prior to replacing the VMware Certificate Authority certificate are not affected.
Additional Information
For translated versions of this article, see: