After replacing default ESXi certificates with custom CA-signed certificates, the host becomes "Disconnected" and unmanageable within the vCenter inventory. Attempts to reconnect the host or re-add it using its Fully Qualified Domain Name (FQDN) fail with the following error message:

A general system error occurred: Unable to get signed certificate for host <host-fqdn>. Error: ManagedObjectNotFound

This issue typically occurs in environments where hosts were initially added to vCenter via IP address or where the vpxd.certmgmt.mode is set to custom and the SSL certificate is issued to the ESXi host FQDN.

VMware ESXi 7.x, 8.x
VMware vCenter 7.x, 8.x

The issue is primarily caused by a mismatch between the certificate's Common Name (CN) and the actual FQDN of the host as recognized by vCenter. If the CN does not match the FQDN exactly, vCenter will reject the management handshake when the certificate mode is set to custom. Additionally, the vCenter service (vpxd) may fail to recognize management mode changes until the service is manually restarted.

To restore host connectivity and successfully apply the signed certificates, perform the following steps:

1. Adjust vCenter Certificate Management Mode:
   
   
   • In the vCenter UI, navigate to Advanced Settings.
   • Change vpxd.certmgmt.mode from custom to thumbprint.
   • Restart the vpxd service on the vCenter Server Appliance (VCSA) to apply this change.
     # service-control --stop vpxd
     # service-control --start vpxd
     
     Additional details on vCenter service controls: Stopping, Starting or Restarting VMware vCenter Server Appliance services
     
     
2. Re-add the Host to vCenter:
   
   
   • Remove the disconnected host from the vCenter inventory.
   • Re-add the host using its FQDN instead of its IP address.
     
     
3. Re-Adjust vCenter Certificate Management Mode (This must be set to custom before you can use the vSphere Client to generate a CSR for an External CA):
   
   
   • In the vCenter UI, navigate to Advanced Settings.
   • Change vpxd.certmgmt.mode from thumbprint to custom.
   • Restart the vpxd service on the vCenter Server Appliance (VCSA) to apply this change.
     # service-control --stop vpxd
     # service-control --start vpxd
     
     
4. Generate and Apply a Correct CSR:
   
   
   • Generate a new CSR using OpenSSL or there vSphere Client, ensuring the Common Name (CN) field matches the host FQDN exactly (e.g., esx01.example.com).
     Generate a Certificate Signing Request for a Custom Certificate Using the vSphere Client
     
     
   • If the ESXi host is disconnected, you can generate the CSR using openssl: 
     Steps to generate CSR for ESXi certificate when disconnected from vCenter
     
     Example CLI command: openssl req -new -newkey rsa:2048 -nodes -keyout <host-fqdn>.key -out <host-fqdn>.csr -config esxi.cnf
     
     
   • Obtain the signed certificate from your CA and apply the public/private keys to the ESXi host.
     Replace the Default Certificate with a Custom Certificate Using the vSphere Client
     
     
     

If the browser still reports the vCenter certificate as "Untrusted" despite being CA-signed, ensure the Root CA and any Intermediary certificates are correctly imported into the vCenter Trusted Root Store and your local machine's Trusted Root Certification Authorities. The following documentation provides additional details:

• Generating Certificate or Certificate Signing Request(CSR) for ESXi host with custom parameters using VCSA UI
• Replacing the Default ESXi Certificate with a Custom Certificate