• Adding ESXi hosts to Active Directory domain via vSphere Authentication Proxy fails with error:
  
  Errors in Active Directory Operations


• VMware vSphere Authentication Proxy Service (i.e. vmcam service) has already been started on vCenter and authentication proxy has already been configured on vCenter.
• VMware vSphere Authentication Proxy certificate has been imported into ESXi host.
• /var/log/vmware/vmcamd/vmcamd.log has below error:
  
  Verify error: num=26:unsuitable certificate purpose: 
  
  
• The certificate of ESXi host is signed by customer's CA.

VMware vCenter Server 8.0

The ESXi host lacks "SSL client" purpose in the CA-signed certificate.

The ESXi host certificate needs to be re-signed by CA so that the signed certificate will have both "SSL client" and "SSL server" purposes. 

For detailed steps of adding ESXi hosts to Active Directory using vSphere Authentication Proxy, refer to: How to add hosts to Active Directory using vSphere Authentication Proxy.

For detailed steps of replacing ESXi host certificate with CA-signed certificate, refer to: Configuring CA signed certificates for ESXi hosts.