If corporate policy requires that you use external CA-signed certificates instead of VMCA-signed certificates for ESXi hosts, you can manually add external certificates to the hosts.

When you install ESXi software on a server to create an ESXi host, the host initially has an autogenerated certificate. By default, when the host is added to a vCenter Server system during bring-up of the management domain or other operations involving hosts (for example, host commissioning, VI workload domain creation, and so on), the autogenerated certificate is replaced with a certificate that is signed by the VMware Certificate Authority (VMCA).

When you use external certificates during bring-up, they are not replaced by VMCA-signed certificates. Once you perform bring-up with external certificates for ESXi hosts, all future hosts added to VMware Cloud Foundation must also use external certificates. You cannot use external certificates for ESXi hosts in a VI workload domain unless you used external certificates to create the management domain during bring-up.


External CA-signed certificate and key are available.


  1. Log in to the ESXi Shell for the first host, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
  2. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:
    mv rui.crt orig.rui.crt 
    mv rui.key orig.rui.key
  3. Copy the external certificate and key that you want to use to /etc/vmware/ssl.
  4. Rename the external certificate and key to rui.crt and rui.key.
  5. Restart the host management agents by running the following commands:
    /etc/init.d/hostd restart
    /etc/init.d/vpxa restart
  6. Repeat for all the ESXi hosts that you are adding to VMware Cloud Foundation.