You can use the vSphere Certificate Manager utility to replace all certificates with custom certificates. Before you start the process, you must send CSRs to your CA. You can use Certificate Manager to generate the CSRs.
One option is to only replace the machine SSL certificate, and to use the solution user certificates that are provisioned by VMCA. Solution user certificates are used only for communication between vSphere Components.
When you use custom certificates, you are responsible for provisioning each node that you add to your environment with custom certificates. VMCA still provisions with VMCA-signed certificates, and you are responsible for replacing those certificates. You can use the vSphere Certificate Manager utility or use CLIs for manual certificate replacement. Certificates are stored in VECS.