When adding an ESXi host in a cluster in SDDC Manager, following error is observed indicating validation failed due to certificate error.

VCF 5.x

The Host addition task failed during 'Disable SSH on ESXi host' state due to certificate validation failure.

This is caused if the ESXi host has been re-imaged using the same name, and an attempt is being made to add it to the same cluster.

1. Generate a VMCA signed certificate from the MGMT vCenter for the ESXi host. 

a. SSH into the MGMT vCenter.
b. Navigate to the tmp directory
c. Copy or scp the vmca_host_cert.sh script to the vCenter. Download the script from KB: Unable to add ESXi hosts
d. chmod the script

chmod +x vmca_host_cert.sh

e. Run the vmca_host_cert script.

./vmca_host_cert.sh <theesxihostname>
Status : Success
Using config file : /usr/lib/vmware-vmca/share/config/certool.cfg
Status : Success

2. Copy the generated certificate and key from vCenter to the /etc/vmware/ssl directory on the ESXi host.

-rw-------  1 vmcad-user lwis 1.7K Jul 13 15:52 <theesxihostname>.key
-rw-r--r--  1 vmcad-user lwis 1.6K Jul 13 15:52 <theesxihostname>.crt     

3.Apply the VMCA signed certificates to the ESXi host. 

a. SSH into the ESXi host
b. Navigate to the /etc/vmware/ssl directory.

cd /etc/vmware/ssl

c. Rename the existing certificates using the following commands

mv rui.crt orig.rui.crt
mv rui.key orig.rui.key

d. Rename the new certificate and key to rui.crt and rui.key.

mv <theesxihostname>.crt rui.crt
mv <theesxihostname>.key rui.key

e. Persist the changes into the system disk

/sbin/auto-backup.sh

4. Cycle the ESXi services.

services.sh restart

5. Retry the failed task of 'Disable SSH on ESXi host' from SDDC Manager, or add the ESXi host into the cluster via SDDC Manager.