1. Allow SSH access to ESXi/ESX hosts with public/private key authentication
To allow root access on the ESXi host, change PermitRootLogin no to PermitRootLogin yes in the /etc/ssh/sshd_config file. To disable password login, ensure that the ChallengeResponseAuthentication and PasswordAuthentication are set to no.
If changes were made to the SSHd config file, reload the service :
For ESXi :/etc/init.d/SSH restart
For ESX : service sshd reload
After activating the SSH service on the ESXi host (in the web UI : Host tab > Actions menu > Services > Enable Secure Shell (SSH)), backup the original certificates :
cd /etc/vmware/ssl mv rui.key rui.key.ori mv rui.crt rui.crt.ori
For ESXi 5.x, 6.0, 6.5 and 6.7, the authorized_keys is located at :
/etc/ssh/keys-<username>/authorized_keys
Copy the generated public/private key and test the connection to the ESXi host.
(source : https://kb.vmware.com/s/article/1002866)
2. Deploy TLS Certificates to ESXi
Create a TLS certificate (e.g. via acme.sh) and copy to the ESXi host the newly generated certificate :
scp tls_esxihost.cer root@esxihost.lan:/etc/vmware/ssl/rui.crt scp tls_esxihost.key root@esxihost.lan:/etc/vmware/ssl/rui.key
Then, reload services to serve the new certificate :
services.sh restart
(source : https://www.linuxtricks.fr/wiki/wiki.php?title=vmware-esxi-ajouter-son-propre-certificat)