You can replace the default VMCA-signed ESXi certificates by using the vifs command.
You run vifs as a vCLI command. See the Getting Started with vSphere Command-Line Interfaces.
- If you want to use third-party CA-signed certificates, generate the certificate request, send it to the certificate authority, and store the certificates on each ESXi host.
- If necessary, enable the ESXi Shell or enable SSH traffic from the vSphere Web Client.
- All file transfers and other communications occur over a secure HTTPS session. The user who is used to authenticate the session must have the privilege on the host.
- Back up the existing certificates.
- Generate a certificate request following the instructions from the certificate authority.
- When you have the certificate, use the vifs command to upload the certificate to the appropriate location on the host from an SSH connection to the host.
vifs --server hostname --username username --put rui.crt /host/ssl_cert
vifs --server hostname --username username --put rui.key /host/ssl_key
- Restart the host.
What to do next
Update the vCenter Server TRUSTED_ROOTS store. See Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates).