If you want to use an enterprise or third-party CA-signed certificate, you have to send a Certificate Signing Request (CSR) to the CA.
Use a CSR with these characteristics:
Key size: 2048 bits or more (PEM encoded)
PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8
x509 version 3
For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
SubjectAltName must contain DNS Name=<machine_FQDN>
Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Start time of one day before the current time
CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter Server inventory.