If corporate policy requires that you use external CA-signed certificates instead of VMCA-signed certificates for ESXi hosts, you can manually add external certificates to the hosts.

When you install ESXi software on a server to create an ESXi host, the host initially has an autogenerated certificate. By default, when the host is added to a vCenter Server system during bring-up of the management domain or other operations involving hosts (for example, host commissioning, VI workload domain creation, and so on), the autogenerated certificate is replaced with a certificate that is signed by the VMware Certificate Authority (VMCA).

When you use external certificates during bring-up, they are not replaced by VMCA-signed certificates. Once you perform bring-up with external certificates for ESXi hosts, all future hosts added to VMware Cloud Foundation must also use external certificates.


External CA-signed certificate and key are available.


  1. In a web browser, log in to the ESXi host using the VMware Host Client.
  2. In the navigation pane, click Manage and click the Services tab.
  3. Select the TSM-SSH service and click Start if not started.
  4. Log in to the ESXi Shell for the first host, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
  5. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:
    mv rui.crt orig.rui.crt 
    mv rui.key orig.rui.key
  6. Copy the external certificate and key that you want to use to /etc/vmware/ssl.
  7. Rename the external certificate and key to rui.crt and rui.key.
  8. Restart the host management agents by running the following commands:
    /etc/init.d/hostd restart
    /etc/init.d/vpxa restart
  9. In the VMware Host Client, select the TSM-SSH service for the ESXi host and click Stop.
  10. Repeat for all the ESXi hosts that you are adding to VMware Cloud Foundation.