By default the ESXi hosts are automatically provisioned with VMware Certificate Authority (VMCA) certificates when they are connected to vCenter Server. You set the host certificate mode on vCenter Server to support a custom certificate authority to prevent the vCenter Server from replacing certificates on to the ESXi hosts.

vCenter Server	ESXi Host
sfo01m01vc01.sfo01.rainpole.local	sfo01m01esx01.sfo01.rainpole.local
	sfo01m01esx02.sfo01.rainpole.local
	sfo01m01esx03.sfo01.rainpole.local
	sfo01m01esx04.sfo01.rainpole.local

1. Log in to vCenter Server by using the vSphere Web Client.
   1. Open a Web browser and go to https://sfo01m01vc01.sfo01.rainpole.local/vsphere-client.
   2. Log in using the following credentials.

      Setting	Value
      User name	administrator@vsphere.local
      Password	vsphere_admin_password

2. Verify that all CA certificates from vCenter Server are updated on all hosts.
   1. In the Navigator, under Hosts and Cluster, select sfo01m01esx01.sfo01.rainpole.local, and click the Configure tab.
   2. Under System, select Certificate and click Refresh CA Certificates.
   3. Repeat the steps for the ESXi hosts that are controlled by the Management vCenter Server sfo01m01vc01.sfo01.rainpole.local.
3. Change the certificate mode for the ESXi hosts in the management cluster to custom .
   1. In the Navigator, under Hosts and Cluster, select sfo01m01vc01.sfo01.rainpole.local, and click the Configure tab.
   2. Under Settings, click Advanced Settings and click Edit.
   3. In the filter box, enter certmgmt and press Enter to view only certificate management properties.
   4. Change the value of the vpxd.certmgmt.mode property to custom and click OK.
4. Restart the vCenter Server Appliance to apply the changes.
   1. Open a Web browser and go to https://sfo01m01vc01.sfo01.rainpole.local:5480
   2. Log in using the following credentials.

      Settings	Values
      User name	root
      Password	vcenter_server_root_password

   3. Click Reboot to restart the vCenter Server Appliance.