Does anyone have instructions on how to replace the certificate with an external CA on a ESXi 6.7 host instead of the default self signed? I would of thought it would be integrated into vCenter now but that doesn't seem to be the case
Everybody that uses vCenter does, VMCA deploys a cert as a part of the process of onboarding an ESXi host. As a matter of interest: why are you wanting to use a CA signed cert for ESXi? Bear in mind that if you do this, vCenter will need to trust the CA that issues it, and you need to replace that cert before it expires or you're in for a bad day in the office.
We have single locked down high security vSphere environment and the only way that we will be able to access it is that all devices have a CA/PKI cert installed. Pretty much there cant be the annoying menu that pops up saying this cert inst trusted.
The vCenter already has a PKI cert installed but that is easy to manage especially with how VMware changed its cert management systems in 6.7. Be great if there is a way around it as i would prefer not to have cert manually installed that i then need to manage but there doesn't seem so.
We get notifications of when a cert is about to expire which starts at 30 days (they last for 2 years)
Unfortunately there is not a way of doing this in an automated way or even easier from a UI. The procedure that lucasbernadsky proposed is the official one and the one you should follow.
If you have vSAN also in your environment please make sure that is not that easier to change the cerficates and in my point of view is not a "productive solution". I am saying this in case you have it or you are planning to have. Check on this KB for more information: VMware Knowledge Base
I assume that shows that the majority of people dont apply certs to their ESXi hosts then if there is no automated or easier way via the UI. Does anyone here have real world experience applying certs to the ESXi
We dont have vSAN in our environment at the moment.