Managing ESXi SSL certificates
The VMCA, in vSphere 6, provisions a signed certificate to each ESXi host. The certificate specifies the VMCA as the root certificate authority by default. The certificate is provisioned when the ESXi host is added to vCenter Server, or installed or upgraded to ESXi 6.0 or later.
Renewing VMCA certificates
If the VMCA is a subordinate certificate authority, it is allowed to sign certificates for the ESXi hosts. This can be done using the vSphere Web Client. To do so, log into the vSphere Web Client and navigate to the Hosts and Cluster inventory view. Right-click on the ESXi host, and select Certificates | Renew Certificate.
This will bring up the Renew Certificate dialog; click on the Yes button.
This can also be done without making the VMCA a subordinate certificate authority. This process would need to be before the certificate expires or if the hostname is changed. However, if the certificate has already expired, just disconnect and remove the ESXi host...
