If corporate policy requires that you use external CA-signed certificates instead of VMCA-signed certificates for ESXi hosts, you can manually add external certificates to the hosts.
When you install ESXi software on a server to create an ESXi host, the host initially has an autogenerated certificate. By default, when the host is added to a vCenter Server system during bring-up of the management domain or other operations involving hosts (for example, host commissioning, VI workload domain creation, and so on), the autogenerated certificate is replaced with a certificate that is signed by the VMware Certificate Authority (VMCA).
When you use external certificates during bring-up, they are not replaced by VMCA-signed certificates. Once you perform bring-up with external certificates for ESXi hosts, all future hosts added to VMware Cloud Foundation must also use external certificates. You cannot use external certificates for ESXi hosts in a VI workload domain unless you used external certificates to create the management domain during bring-up.
External CA-signed certificate and key are available.
- Log in to the ESXi Shell for the first host, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
- In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:
mv rui.crt orig.rui.crt
mv rui.key orig.rui.key
- Copy the external certificate and key that you want to use to /etc/vmware/ssl.
- Rename the external certificate and key to rui.crt and rui.key.
- Restart the host management agents by running the following commands:
- Repeat for all the ESXi hosts that you are adding to VMware Cloud Foundation.