I ran into an issue where configuring vSphere with an intermediate signing certificate and replacing certificates on all hosts would cause the storage providers to go offline. Refreshing host certificates would also cause the issue.

VMware support determined the cause was the removal of the vCenter SMS certificate in the hosts local trust store. This certificate is not pushed to the hosts when the trust store was refreshed. This behavior occurs at least on vSphere 6.7 and 7.0. To resolve the issue, it is necessary to manually add the SMS certificate to the hosts trust store.

Resolution

Connect to vCenter and retrieve the SMS certificate

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store SMS

Install the SMS certificate into the hosts certificate store

Copy the certificate retrieved from vCenter to the following file on the ESXi hosts. The certificate should be appended to the end of the file. Do not remove any certificates currently in the castore.

/etc/vmware/ssl/castore.pem

Synchronize storage providers to bring the Storage Provider status back online

From the vCenter interface, select “Synchronize Storage Providers”, then Rescan any hosts with out of date certificate information.

This process must be repeated for each host and will be required any time the certificate trust list is pushed from vCenter to the hosts.