Renewing a Host Certificate doesn’t push full certificate chain to the host

When we renew ESXi certificate using vCenter and vCenter (OR PSC) is configured as subordinate CA then certificate chain missing on certificate given to ESXi.


After renew you may see ESXi certificate isn’t trusted and chain is missing.


This issue is seen with vSphere 6.7 GA & U1 and fixed in 6.7 U2, details are available in KB. 

To workaround the issue, follow the steps.

Take SSH to ESXi server.
Make a copy of config.xml

cp /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/Backup_config.xml

Modify following line

<!– <keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile> –>


Then reboot ESXi server using vCenter OR ESXi host access. Post reboot if you renew the ESXi certificate then chain should come properly. like e.g. below.