Skip to content

Field Dispatch: Increase the ESX Certificate Key Size in VMware Cloud Foundation 9.0

In VMware Cloud Foundation 9.0, the certificate workflow in VMware Cloud Foundation Operations ("VCF Operations") can make ESX certificate replacement look more constrained than it is.

When generating a CSR for an ESX host, the interface may show 2048 as the only RSA key size available. In an environment where server certificates must use 3072 or 4096 bit keys, that can look like a mismatch between the platform and the security baseline.

The important detail is where the CSR gets its key size. For ESX hosts, CSR generation can use the host's advanced certificate key size setting, even when VCF Operations only displays 2048.

So the question is not only what the dialog shows. It is what the ESX host is configured to use when the CSR is created.

The Setting That Matters

The ESX host advanced setting is:

Config.HostAgent.ssl.minPrivateKeyLength

You can set that value on the ESX host before generating the CSR from VCF Operations. For environments that require larger keys, the practical values to test are:

Requirement Setting Value
RSA 2048-bit key RSA-2048 (Default)
RSA 3072-bit key RSA-3072
RSA 4096-bit key RSA-4096

The important behavior is that the VCF Operations CSR dialog may still display only 2048, but the generated CSR will use the ESX host setting.

Validate in Your Environment

Treat this as a procedure to test before rolling across a fleet. Certificate replacement touches host management trust, so verify the CSR and the resulting certificate on one host before applying the change more broadly.

Update the ESX Host Advanced Setting

Start in vCenter, not VCF Operations.

  1. Log in to the vSphere Client for the vCenter that manages the ESX host.
  2. Go to Hosts and Clusters.
  3. Select the ESX host.
  4. Open Configure.
  5. Under System, select Advanced System Settings.
  6. Click Edit.
  7. Filter for Config.HostAgent.ssl.minPrivateKeyLength.
  8. Change the value from RSA-2048 to the required value, such as RSA-3072 or RSA-4096.
  9. Save the change.

That is the part worth doing deliberately. If your certificate authority or organizational policy requires 3072-bit keys, set RSA-3072. If the requirement is 4096-bit keys, set RSA-4096. Do not pick a larger key size just because it is available; match the security requirement and operational standard you actually have to support.

Generate the CSR

After the ESX host setting is updated, move back to VCF Operations.

  1. Log in to VCF Operations.
  2. Go to Fleet Management.
  3. Open Certificates.
  4. Expand VCF Instances.
  5. Select the target VCF instance.
  6. Enable Show ESX Hosts.
  7. Select the ESX host.
  8. Open the actions menu and select Generate CSR.
  9. Complete the CSR fields.
  10. Save the request.

The UI may still show a key size of 2048. That is the awkward part. The useful part is that the CSR generation process should use the ESX host setting you changed earlier.

Note

This does not make the VCF Operations UI any less confusing. It means the value shown in the dialog should not be treated as the final authority for the CSR's actual key size.

Replace the Certificate

Once the CSR has been generated and processed by your configured certificate authority, complete the certificate replacement from the same ESX host view in VCF Operations.

  1. Select the ESX host.
  2. Open the actions menu.
  3. Select Replace With Configured CA Certificate.
  4. Confirm the replacement.
  5. Wait for the workflow to complete.

The exact approval and signing path depends on how certificate authority integration is configured in your environment, but the key point is the same: set the host advanced setting before generating the CSR.

Verify the Result

Do not stop at a successful workflow status. Verify the certificate.

After replacement, inspect the ESX host certificate and check the public key information. The certificate should report the expected key size, such as a 3072-bit or 4096-bit RSA public key.

The workflow success alone is not the evidence. The evidence is the resulting certificate showing the expected public key size.

Why This Matters

This is a small setting, but it is exactly the kind of detail that matters in real platform operations. Certificate management is part security control, part lifecycle workflow, and part audit evidence. When the UI and the effective behavior do not line up perfectly, operators need to know which one actually drives the outcome.

The operational pattern is:

  1. Set Config.HostAgent.ssl.minPrivateKeyLength on the ESX host.
  2. Generate the CSR from VCF Operations.
  3. Ignore the misleading 2048 display if the host setting is already correct.
  4. Replace the certificate.
  5. Verify the public key size on the installed certificate.

That is not flashy, but it is the kind of thing that keeps a certificate standard from turning into a long afternoon of second-guessing the UI.

Disclaimer

This is not an official VMware by Broadcom document. This is a personal blog post.

The information is provided as-is with no warranties and confers no rights.

Please, refer to official documentation for the most up-to-date information.