While using custom certificates, a vulnerability scan on port 9080 on ESXi host may report "Please install a server certificate signed by a trusted third-party Certificate Authority"

An inconsistency is observed with the certificate observed on port 443 and 9080. 

The IO Filter on the ESXi host is not correctly registered with the Host Certificate.

The cause can be verified with the following steps :

1. Visit the host URL ( https://esxi-ip-or-fqdn ) on a browser and view the certificate 
2. Visit https://esxi-ip-or-fqdn:9080/version.xml and view the certificate on the browser. 

If both certificates are different, we may confirm that the IO Filter certificate is not registered with the Host certificate. 

Alternative way : 

Run the following commands on an SSH session ( vCenter /  ESXi host ) : 

For port 443: 
openssl s_client -connect esxi-ip-or-fqdn:443 | openssl x509 -noout -fingerprint 

For port 9080:
openssl s_client -connect esxi-ip-or-fqdn:9080| openssl x509 -noout -fingerprint 

The output should look similar to : 
depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = vc.domain.local, OU = VMware Engineering
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware Engineering, CN = esxi.domain.local, emailAddress = [email protected]
verify return:1
DONE
SHA1 Fingerprint=85:6F:36:32:1C:3F:C8:xx:xx:xx:xx:xx:xx:BE:8F:52:3F:D8:78:FE
 

1. Verify that the host is using a custom certificate.
2. Refresh the IO Filter provider certificate with the following command
   
   /usr/lib/vmware/iofilter/bin/iofvp-ctrl-app -r
   
   
3. Verify that the certificate retrieved from both URLs are the same using the steps from the cause section.

The IO Filter certificate will be registered with the host's certificate. The IO Filter provider will start using the custom certificate from the host instead of the previously used certificate.