You get your VCF 9 management domain up and running and have the identity broker configured for VCF single sign-on and you’ve replaced all those self signed certificates with custom certificate authority provided ones. Then you run into an issue when you want to commission new hosts within your VCF environment.
Well when you deploy those custom certificate authority certificates it puts the VCF into a custom mode and any new hosts will need a certificate issued by that same certificate authority to be trusted by the SDDC manager. There are a few ways to get certificates installed on the vSphere host, I have found that the web GUI is capable of changing this certificate without any issues.
Follow the steps below to upload a custom certificate authority provided certificate to your vsphere host.
Login to the vSphere host web GUI and click on Manage > Security & users
Click on Certificates
Select the Import new certificate link, and click the Generate FQDN signing request link.
In the Certificate Signing Request (CSR) result, click Copy to Clipboard
Open a web browser and login to your Certificate Authority web enrollment, click on the Request a certificate link.
In the Advanced Certificate Request screen, click on Submit a certificate request by using the base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
In the Saved Request box, paste the CSR you previously copied to the clipboard and ensure the correct certificate templates is selected. Click Submit
After the certificate is issued, select the radio button for Base 64 encoded and click Download certificate
Open up file explorer to the location where the certificate was downloaded, right click on the certificate and select Open with Notepad.
Select the entire certificate, including the BEGIN CERTIFICATE and END CERTIFICATE lines and select Ctrl + C. Paste the contents into the Import Certificate pop-up on the vSphere host and select Import.
I always like to reboot the host after importing a certificate just in case but you can also just restart vpxd service instead.
If you would like to add a custom certificate through the vSphere command line interface instead, you can follow this knowledge base article.