If you want to use a third-party CA-signed certificate, either with VMCA as a subordinate authority or with a custom certificate authority, you have to send a Certificate Signing Request (CSR) to the CA.

Use a CSR with these characteristics:

  • 2048 bits

  • PKCS1

  • No wildcards

  • Start time of one day before the current time

  • CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.