We often need to Renew our certificates of ESXi time to time to avoid the problem.
Although it is single click job ,But if we have to do it for 20 ESXi or 100 or even for more. It can become tedious task and that is where we usually use Automation tool like PowerCli to reduce the workload.
You can Renew the ESXi certificate using UI with below steps.
Right Click on ESXi=>Choose Certificate=>Choose Renew Certificate
Click on below link to find more about Renewing the Certificate
There are some Prerequisites before we use this Function.
- Need to connect to only one vCenter at time, with Multiple vCenter it will not work.
- Host should be either Connected or In Maintenance Mode.
- PowerCLi version 6.3 or later
function Renew-VMHostCertificate
{
<#
.NOTES
===========================================================================
Created by: Ankush Sethi
Blog: www.vmwarecode.com
===========================================================================
.SYNOPSIS
Renew ESXi VMCA certificate
.DESCRIPTION
Function will Renew the Certificate using PowerCli
.PARAMETER VMHost
Enter the esxi Hotsname for which we need to renew the certificate
.EXAMPLE
Get-VMHost ESXiName|Renew-VMHostCertificate -RunAsync
Renew-VMHostCertificate -VMHost (Get-VMHost "ESXi") -RunAsync:$true
Get-Cluster "ClusterName"|Get-VMHost|Renew-VMHostCertificate
Get-VMHost ESXiName|Renew-VMHostCertificate
Renew-VMHostCertificate -VMHost (Get-VMHost "ESXi")
#>
param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[VMware.VimAutomation.ViCore.Impl.V1.Inventory.InventoryItemImpl]$VMHost,
[switch]$RunAsync
)
begin
{
If(($global:DefaultVIServers).Count -gt 1)
{
Write-Error -Message "Currently you are connected to more than 1 vCenter, Please disconnect and connect to Respective vCenter" -ErrorAction Stop
}
elseIf(($global:DefaultVIServers).Count -lt 1)
{
Write-Error -Message "You are not connected to vCenter to perform the task" -ErrorAction Stop
}
$ServiceInstance=Get-View ServiceInstance
$CertMgrID=$ServiceInstance.content.CertificateManager
$CertMgr=Get-View -Id $CertMgrID
}
Process
{
try
{
$validation=Get-VMHost $VMHost -ErrorAction Stop
}
catch
{
Write-Error -Message "Entered esxi host does not exist in $global:DefaultVIServer"
}
If(($validation.ConnectionState -eq "Connected") -or ($validation.ConnectionState -eq "Maintenance"))
{
If($RunAsync -eq $true){
foreach($script:ESXi in $VMHost){$script:task=$CertMgr.CertMgrRefreshCertificates_Task($script:ESXi.extensiondata.moref)}
}
else
{
foreach($script:ESXi in $VMHost){$script:task=$CertMgr.CertMgrRefreshCertificates($script:ESXi.extensiondata.moref)}
}
}
else{Write-error -Message "Action cannot be performed on current state of ESXi" -ErrorAction Stop}
}
End
{
Get-Task|?{$_.Name -match "Certificate"}|ft -AutoSize
}
}
Sample Usage of function: With all parameters.
Renew-VMHostCertificate -VMHost (Get-VMHost "esxname") -RunAsync:$true
Here RunAsync means that the command returns immediately without waiting for the task to complete .
You can use the Function without RunAsync also with below sample:
Renew-VMHostCertificate -VMHost (Get-VMHost ESXiName")
Sample Usage with Pipeline:
Get-VMHost esxname|Renew-VMHostCertificate
You can use the -RunAsync with Pipeline also with below sample:
Get-VMHost esxname|Renew-VMHostCertificate -RunAsync:$true
You can utilize the Pipeline with Cluster also .If you want to perform the action on full cluster using below Sample:
Get-Cluster ClusterName|Get-VMHost|Renew-VMHostCertificate
Sample Output: It will display the task status in output:
You can also check in hostd.logs for more details with below command.
cat /var/log/hostd.log|grep -i “Certificate”
How to Use the Function
- Copy the code from above and paste it into Notepad
- Save it with anyname with extension of .PS1
- Open the PowerCli and to go the Directory where it is saved using cd command
- run the command . .\FileName.ps1. (Note :There is a space between 2 dots.)
- Function is loaded in local session of PowerCli and you are good to use this as cmdlet.
VMwareCode 
2 responses to “How to renew the ESXi VMCA certificate using PowerCLI”
[…] do this renewal via PowerCLI (because…well why wouldn’t you!?) there is a nice function here by Ankush Sethi which does a great […]
LikeLike
[…] If you have a large number of hosts, you may want to check out how PowerCLI can help automate these repetitive steps. VMware Code has a sample script you should check out. […]
LikeLike