If corporate policy requires that you use external CA-signed certificates instead of VMCA-signed certificates for ESXi hosts, you can manually add external certificates to the hosts.

When you install ESXi software on a server to create an ESXi host, the host initially has an autogenerated certificate. By default, when the host is added to a vCenter Server system during bring-up of the management domain or other operations involving hosts (for example, host commissioning, VI workload domain creation, and so on), the autogenerated certificate is replaced with a certificate that is signed by the VMware Certificate Authority (VMCA).

When you use external certificates during bring-up, they are not replaced by VMCA-signed certificates. Once you perform bring-up with external certificates for ESXi hosts, all future hosts added to VMware Cloud Foundation must also use external certificates.

Prerequisites

External CA-signed certificate and key are available.

Procedure

  1. In a web browser, log in to the ESXi host using the VMware Host Client.
  2. In the navigation pane, click Manage and click the Services tab.
    The Services tab for an ESXi host in the VMware Host Client.
  3. Select the TSM-SSH service and click Start if not started.
  4. Log in to the ESXi Shell for the first host, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
  5. In the directory /etc/vmware/ssl, rename the existing certificates using the following commands:
    mv rui.crt orig.rui.crt 
    mv rui.key orig.rui.key
  6. Copy the external certificate and key that you want to use to /etc/vmware/ssl.
  7. Rename the external certificate and key to rui.crt and rui.key.
  8. Restart the host management agents by running the following commands:
    /etc/init.d/hostd restart
    /etc/init.d/vpxa restart
  9. In the VMware Host Client, select the TSM-SSH service for the ESXi host and click Stop.
  10. Repeat for all the ESXi hosts that you are adding to VMware Cloud Foundation.