vSphere Signing Certificate Expiry – What You Need To Know

Why Do We Sign?

To guarantee the security of your download, VMware releases are cryptographically signed. The certificate used to sign legacy releases of software expires at the end of December 2019. For some time now, we have been dual signing releases with the replacement certificate and the legacy certificate. Soon releases be will signed only by the newer certificate (as of April 2020 for the 6.7 codebase, and June 2020 for the 6.5 codebase). This new certificate is valid until September 2037.

So what does the vSphere signing certificate expiry mean?

For older versions of ESXi, to upgrade to any release post the 31st of December 2019, you need two-steps.

ESXi 6.0 versions between 6.0 GA and Update 3G (also known a Patch 07) must upgrade first to a minimum of 6.0 Update 3G. Once there, upgrade to the subsequent target release. Alternatively, upgrade to a minimum of 6.5 Update 2 before upgrading further. 

ESXi 6.5 versions between 6.5 GA and Update 2 must upgrade to a minimum of 6.5 Update 2. Once there, upgrade to the subsequent target release. See below for some example upgrade paths.

vSphere Signing Certificate Expiry - Upgrade Paths

Attempting to upgrade directly from one of the affected releases to any release posted in 2020 will fail. The error message “Could not find a trusted signer” is displayed when upgrading using esxcli. The error message “cannot execute upgrade script on host” is seen if using vSphere Update Manager (VUM).

If you are unable to make this two-step upgrade, one option you have is to use the –no-sig-check switch to disable the signature check when upgrading with esxcli. Alternatively, perform an upgrade from ISO. We would not recommend disabling the signature check in production environments.

As always, please check the interoperability matrices and KB67077 to ensure that your intended upgrade path is supported! 

The usual vSphere upgrade caveats apply.

  • Check that your other products (both VMware and third party) are compatible and support both your intended target release and the interim if required.
  • Upgrade vCenter Server before upgrading ESXi hosts.
  • vSphere 6.0 reaches End of General Support on March 12, 2020. Please consider an upgrade to the 6.5 or 6.7 codebase if at all possible.
  • For more information on this issue, please see KB76555.

To be absolutely clear on this: if your ESXi hosts are already running version 6.0 U3G (build 9239799, released 26th July 2018) or 6.5 U2 (build 8294253, released 3rd May 2018) or higher, then you are NOT affected by this. ESXi 6.7 is also unaffected. Another good reason to stay on top of patches!

Any Other Impact?

I’m glad that you asked. Another impact is that any VMware VIB released after the 31st of January is also unable to be installed on these older versions of ESXi. A VIB is a VMware Installable Bundle and is typically a driver or some form of extension. Some examples of this are the VMware Tools installers, which are pushed to hosts as a VIB. vSphere Replication and VMware NSX both push VIBs to hosts at the point of deployment. If you are using any VMware products that push VIBs, you should be conscious of this as you upgrade. This does not affect third party VIBs.

This issue does not affect vCenter Server.

In Summary

While we understand that any upgrade of vSphere can be complicated, there are lots of resources available to help you to plan and execute successfully. We collate a whole bunch at vSphere Central, where you can find all kinds of content focussed on vSphere, including a dedicated vSphere Upgrade channel. VMware strongly recommends that you stick to current patch levels wherever possible, and this is no exception. To learn more about the issues discussed in this blog post, please see the VMware Knowledge Base.

To keep up to date on the latest information on VMware vSphere why not follow us on Twitter? Just click the link below!