Symptoms:
After adding trusted root to VMCA(e.g. after convergence), VASA provider cannot establish SSL connection to host

VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x

This issue occurs when the trusted roots are not refreshed on the hosts

To resolve this issue, refresh host TRUSTED_ROOTS after adding a trusted root to VCMA. For information on how to refresh host TRUSTED_ROOTS, refer Renew or Refresh ESXi Certificates.

To refresh host TRUSTED_ROOTS :

Note: These are powershell commands

1. Run this command to connect to the vCenter Server
Connect-VIServer -server vcenter-server
2. Run this command to get the ESXi hosts and set it to a variable
$hosts = get-vmhost
3. Run this command to start the Service Instance
$si = Get-View ServiceInstance
4. Run this command to start the certificate Manager view
$certMgr = Get-View -Id $si.Content.CertificateManager
5. Using the Cert Manager, refresh the ESXi hosts Certs
6. Run this command to push all certificates in the TRUSTED_ROOTS store in the vCenter Server VECS store to the host.
$certMgr.CertMgrRefreshCACertificatesAndCRLs($Hosts.ExtensionData.MoRef)