ESXi Host Certificate Renewal Doesn't Include Full Chain

I have just successfully migrated one of our vCenter 6.0 Windows servers to a brand new 6.7 U1 vCenter Server Appliance. After this migration I configured VMCA to be a intermediate certificate authority to our internal CA. The process for this is relatively straight forward, however, there appears to be an issue in 6.7 (and potentially 6.5) whereby hosts which are subsequently issued a new SSL certificate fail to use the full certificate chain, and therefore still show as untrusted in the browser when accessing the ESXi host client. The following steps resolved the issue for me.

  1. Put the particular host into Maintenance Mode
  2. Start the SSH service and connect to the host
  3. Edit the /etc/vmware/rhttpproxy/config.xml file
vi /etc/vmware/rhttpproxy/config.xml
  1. Either uncomment or add the following item to the <ssl> xml node.
  1. For example the full <ssl> node should look similar to the following
<!-- Remove the following node to disable SSL -->
  <!-- The server private key file -->

  <!-- The server side certificate file -->

  <!-- Client-side CAFile verify location -->
  1. Save the config file and restart the rhttpproxy service
/etc/init.d/rhttpproxy restart
  1. Once the service has been restarted, exit the host from Maintenance Mode
  2. You should now be able to renew the ESXi host certificate successfully via the vSphere Client
  3. Access the host client to confirm that the host is now using the full certificate chain and no longer displays insecure warnings