If you upgrade an ESXi host to ESXi 6.0 or later, the upgrade process replaces self-signed certificates with VMCA-signed certificates. The process retains custom certificates even if those certificates are expired or invalid.

The recommended upgrade workflow depends on the current certificates.
Host Provisioned with Thumbprint Certificates
If your host is currently using thumbprint certificates, it is automatically assigned VMCA certificates as part of the upgrade process.
Note: You cannot provision legacy hosts with VMCA certificates. You must upgrade to ESXi 6.0 or later.
Host Provisioned with Custom Certificates
If your host is provisioned with custom certificates, usually third-party CA-signed certificates, those certificates remain in place. Change the certificate mode to Custom to ensure that the certificates are not replaced accidentally.
Note: If your environment is in VMCA mode, and you refresh the certificates from the vSphere Web Client, any existing certificates are replaced with certificates that are signed by VMCA.

Going forward, vCenter Server monitors the certificates and displays information, for example, about certificate expiration, in the vSphere Web Client.

If you decide not to upgrade your hosts to vSphere 6.0 or later, the hosts retain the certificates that they are currently using even if the host is managed by a vCenter Server system that uses VMCA certificates.

Hosts that are being provisioned by Auto Deploy are always assigned new certificates when they are first booted with ESXi 6.0 software. When you upgrade a host that is provisioned by Auto Deploy, the Auto Deploy server generates a certificate signing request (CSR) for the host and submits it to VMCA. VMCA stores the signed certificate for the host. When the Auto Deploy server provisions the host, it retrieves the certificate from VMCA and includes it as part of the provisioning process.

You can use Auto Deploy with custom certificates.