The vulnerability scan report for ESXi host flags "Plugin ID 51192 SSL Certificate Cannot be Trusted"

Plugin 51192 will have an output similar to "The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority"

VMware vSphere ESXi

The Certificate Authority that signs the ESXI host certificate is unknown to the scan tools (Nessus, Qualys, or similar).

You can safely ignore the scan results and ask your security team to whitelist the ESXi IP/FQDN from their security scanner provided that the ESXi host certificate is VMCA issued and valid.

If you wish to have the hosts not getting listed in the scan at all, you need to either

• Replace the host certificates with the custom ones (signed by their Enterprise CA / Public CA whom they trust).
  
  or
  
  
• Download the existing ESXi host certificate from the browser and import it to the scanning tool's certificate store.