Your company's security policy might require that you replace the default ESXi SSL certificate with a third-party CA-signed certificate on each host.

By default, vSphere components use the VMCA-signed certificate and key that are created during installation. If you accidentally delete the VMCA-signed certificate, remove the host from its vCenter Server system, and add it back. When you add the host, vCenter Server requests a new certificate from VMCA and provisions the host with it.

Replace VMCA-signed certificates with certificates from a trusted CA, either a commercial CA or an organizational CA, if your company policy requires it.

The default certificates are in the same location as the vSphere 5.5 certificates. You can replace the default certificates with trusted certificates in various ways.

Note: You can also use the vim.CertificateManager and managed objects in the vSphere Web Services SDK. See the vSphere Web Services SDK documentation.

After you replace the certificate, you have to update the TRUSTED_ROOTS store in VECS on the vCenter Server system that manages the host to ensure that the vCenter Server and the ESXi host have a trust relationship.

For detailed instructions about using CA-signed certificates for ESXi hosts, see Certificate Mode Switch Workflows.

Note: If you are replacing SSL certificates on an ESXi host that is part of a vSAN cluster, follow the steps that are in the VMware knowledge base article at