ESXi hosts and vCenter Server communicate securely over SSL to ensure confidentiality, data integrity and authentication.
In vSphere 6.0, the VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority, by default. Provisioning happens when the ESXi host is added to vCenter Server explicitly or as part of the ESXi host installation. All ESXi certificates are stored locally on the host.
You can also use custom certificates with a different root Certificate Authority (CA). For information about managing certificates for ESXi hosts, see the vSphere Security documentation.
All certificates for vCenter Server and the vCenter Server services are stored in the VMware Endpoint Certificate Store (VECS).
You can replace the VMCA certificate for vCenter Server with a different certificate signed by a CA. If you want to use a third party certificate, install the Platform Services Controller, add the new CA-signed root certificate to VMCA, and then install vCenter Server. For information about managing vCenter Server certificates, see the vSphere Security documentation.