If corporate policy requires that you use external CA-signed certificates instead of VMCA-signed certificates for ESXi hosts, you can manually add external certificates to the hosts.

When you install ESXi software on a server to create an ESXi host, the host initially has an autogenerated certificate. By default, when the host is added to a vCenter Server system during bring-up of the management domain or other operations involving hosts (for example, host commissioning, VI workload domain creation, and so on), the autogenerated certificate is replaced with a certificate that is signed by the VMware Certificate Authority (VMCA).

When you use external certificates during bring-up, they are not replaced by VMCA-signed certificates. Once you perform bring-up with external certificates for ESXi hosts, all future hosts added to VMware Cloud Foundation must also use external certificates.

Important: You cannot use external certificates for ESXi hosts in a VI workload domain unless you used external certificates to create the management domain during bring-up.

Prerequisites

External CA-signed certificate and key are available.

Procedure

  1. Log in to the ESXi Shell for the first host, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
  2. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:
    mv rui.crt orig.rui.crt 
    mv rui.key orig.rui.key
  3. Copy the external certificate and key that you want to use to /etc/vmware/ssl.
  4. Rename the external certificate and key to rui.crt and rui.key.
  5. Restart the host management agents by running the following commands:
    /etc/init.d/hostd restart
    /etc/init.d/vpxa restart
  6. Repeat for all the ESXi hosts that you are adding to VMware Cloud Foundation.

What to do next

See Deploy the Management Domain Using ESXi Hosts with External Certificates.