If company policy requires it, you can replace all certificates used in vSphere with third-party CA-signed certificates. If you do that, VMCA is not in your certificate chain but all vCenter certificates have to be stored in VECS.

You can replace all certificates or use a hybrid solution. For example, consider replacing all certificates that are used for network traffic but leaving VMCA-signed solution user certificates. Solution user certificates are used only for authentication to vCenter Single Sign-On, in place.
Note: If you do not want to use VMCA, you are responsible for replacing all certificates yourself, for provisioning new components with certificates, and for keeping track of certificate expiration.