Unable to connect host to vCenter due to incorrect SAN in ESXi certificate.

In some of the rarest scenario, VMCA (VMware certificate authority) renew/change ESXi certificate that include IP address instead of FQDN in SAN (Subject Alternate Name). Due to this issue, ESXi wouldn’t connect to vCenter due mismatch in SSL thumbprint.

While accessing the host using FQDN (https://ESXiFQDN/ui) we see “NET::ERR_CERT_COMMON_NAME_INVALID” however using IP address (https://ESXiIP/ui).



When you try connect host to vCenter, following error is seen.

Authenticity of the host's SSL certificate is not verified
A general system error occurred: Unable to push CA certificates and CRLs to host hostname.domain.local 


To solve this problem, restart management agents on ESXi server. Refer KB
This step should automatically fix certificate issue and host can be added to back to vCenter.