If you want to use a third-party CA-signed certificate, either with VMCA as a subordinate authority or with a custom certificate authority, you have to send a Certificate Signing Request (CSR) to the CA.
Use a CSR with these characteristics:
- 2048 bits
- No wildcards
- Start time of one day before the current time
- CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.