By default, ESXi hosts require explicit verification of the vSphere Authentication Proxy certificate. If you are using vSphere Auto Deploy, the Auto Deploy service takes care of adding the certificate to hosts that it provisions. For other hosts, you must add the certificate explicitly.


  • Upload the vSphere Authentication Proxy certificate to a datastore accessible to the ESXi host. Using an SFTP application such WinSCP, you can download the certificate from the vCenter Server host at the following location.


  • Verify that the UserVars.ActiveDirectoryVerifyCAMCertificate ESXi advanced setting is set to 1 (the default).


  1. Select the ESXi host and click Configure.
  2. Under System, select Authentication Services.
  3. Click Import Certificate.
  4. Enter the certificate file path following the format [datastore]/path/certname.crt, and click OK.