If you want to use a third-party CA-signed certificate, either with VMCA as a subordinate authority or with a custom certificate authority, you have to send a Certificate Signing Request (CSR) to the CA.

Use a CSR with these characteristics:

  • 2048 bits
  • PKCS1
  • No wildcards
  • Start time of one day before the current time
  • CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.