Configure ESXi Hosts with Signed
Certificates
If corporate policy requires that you use external CA-signed certificates instead of
VMCA-signed certificates for ESXi hosts, you can manually add external certificates to the
hosts.
External CA-signed certificate and key are available.
When you install ESXi software on a server to create an ESXi host, the host initially
has an autogenerated certificate. By default, when the host is added to a vCenter
Server system during bring-up of the management domain or other operations involving
hosts (for example, host commissioning, VI workload domain creation, and so on), the
autogenerated certificate is replaced with a certificate that is signed by the
VMware Certificate Authority (VMCA).
When you use external certificates during
bring-up, they are not replaced by VMCA-signed certificates. Once you perform
bring-up with external certificates for ESXi hosts, all future hosts added to VMware
Cloud Foundation must also use external certificates.
- In a web browser, log in to the ESXi host using the VMware Host Client.
- In the navigation pane, clickManageand click theServicestab.
- Select theTSM-SSHservice and clickStartif not started.
- Log in to the ESXi Shell for the first host, either directly from the DCUI or from an SSH client, as a user with administrator privileges.
- In the directory/etc/vmware/ssl, rename the existing certificates using the following commands:mv rui.crt orig.rui.crtmv rui.key orig.rui.key
- Copy the external certificate and key that you want to use to/etc/vmware/ssl.
- Rename the external certificate and key torui.crtandrui.key.
- Restart the host management agents by running the following commands:/etc/init.d/hostd restart/etc/init.d/vpxa restart
- In the VMware Host Client, select theTSM-SSHservice for the ESXi host and clickStop.
- Repeat for all the ESXi hosts that you are adding to VMware Cloud Foundation.