Once you have configured the ESXi hosts' identity by providing a hostname you must regenerate the self-signed certificate to ensure the correct common name is defined.

During the installation of ESXi, the installer generates a self-signed certificate for each ESXi host but the process is performed prior to the ESXi identity being configured. This means all ESXi hosts have a common name in their self-signed certificate of localhost.localdomain. All communication between VMware Cloud Builder and the ESXi hosts is performed securely over HTTPS and as a result it validates the identify when making a connection by comparing the common name of the certificate against the FQDN provided within the VMware Cloud Builder configuration file.

To ensure that the connection attempts and validation does not fail, you must manually regenerate the self-signed certificate after hostname has been configured.

Note: VMware Cloud Foundation supports the use of signed certificates. If your organization's security policy mandates that all ESXi hosts must be configured with a CA-signed certificate, see Configure ESXi Hosts with Signed Certificates.


  1. In a web browser, log in to the ESXi host using the VMware Host Client.
  2. In the navigation pane, click Manage and click the Services tab.
  3. Select the TSM-SSH service and click Start if not started.
  4. Log in to the ESXi host using an SSH client such as Putty.
  5. Regenerate the self-signed certificate by executing the following command:
  6. Restart the hostd and vpxa services by executing the following command:
    /etc/init.d/hostd restart && /etc/init.d/vpxa restart
  7. In the VMware Host Client, select the TSM-SSH service for the ESXi host and click Start.
  8. Repeat this procedure for all remaining hosts.