• The following message is observed when signing the certificate for an ESX host from a Certificate Authority (CA).
   The subject name "C=<country_name>,ST=<state_name>,L=<locality>,O=<organizaion>,OU=<Org_unit>,CN=<Host_name>,E=<Email_Address>" (specifically "<Host_name>") does not match the specified expression "CN=^[a-zA-Z0-9]([a-zA-Z0-9\-\.]+)?\.(domain_name|DOMAIN_NAME|domain2_name|DOMAIN2_NAME)\.(tld1|TLD1|tld2|TLD2|tld3|TLD3)$"

• The ESX host's hostname does not contain fully qualified domain name (fqdn) and can be identified by running the following command from the ESX shell.
   [root@<Hostname>:~ ] esxcli system hostname get
 Domain Name:
 Fully Qualified Domain Name: <Host_shortname>
 Host Name: <Host_shortname>

• ESXi 8.x
• ESX 9.x
• vCenter 8.x
• vCenter 9.x

The certificate signing fails because the certificate authority's policy requires a fully qualified domain name (FQDN) in the hostname for the certificate SAN name, which is absent.

Follow the below steps to resolve the issue by changing the ESX host name to fully qualified domain name:

1. Change the ESX hostname to fully qualified domain name by following the knowledge base article : Changing the hostname of an ESX host
2. Generate CSR for an ESX SSL certificate using the vSphere Client. Refer: Generate a Certificate Signing Request for a Custom Certificate Using the vSphere Client
3. After the certificate is signed, import the certificate in to the vCenter Server. Refer: Replace the Default Certificate with a Custom Certificate Using the vSphere Client