If you set up your ESXi hosts to use custom certificates, you must update the TRUSTED_ROOTS store on the vCenter Server system that manages the hosts.
Prerequisites
Replace the certificates on each host with custom certificates.
Note: This step is not required if the
vCenter Server system is also running with custom certificates issued by the same CA as those installed on the
ESXi hosts.
Procedure
- To update the vCenter Server TRUSTED_ROOTS store using vSphere Client, see Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client.
- To update the vCenter Server TRUSTED_ROOTS store using using command line interface, log in to the vCenter Server shell of the vCenter Server system that manages the ESXi hosts.
- To add the new certificates to the TRUSTED_ROOTS store, run dir-cli, for example:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert path_to_RootCA
- When prompted, provide the Single Sign-On Administrator credentials.
- If your custom certificates are issued by an intermediate CA, you must also add the intermediate CA to the TRUSTED_ROOTS store on the vCenter Server, for example:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert path_to_intermediateCA
What to do next
Set certificate mode to Custom. If the certificate mode is VMCA, the default, and you perform a certificate refresh, your custom certificates are replaced with VMCA-signed certificates. See Change the ESXi Certificate Mode.
