• ESXi uses the VMCA certificate
• The vCenter Server system's MACHINE_SSL_CERT and Trusted_Root certificates are valid and have not expired.
• ESXi is in maintenance mode

After renewing the ESXi certificate in vCenter, the task "Refresh the subject certificate on the host" finishes.

However, the ESXi host certificate does not update.

The following messages can be seen in the vCenter logs.

---/var/log/vmware/vpxd/vpxd.log
####-##-##T##:##:##.#### info vpxd[08047] [Originator@6876 sub=vpxLro opID=########-#####-auto-###-h5:########-##] [VpxLRO] -- BEGIN task-##### -- certificateManager -- vim.CertificateManager.refreshCertificates -- ########-####-####-####-########(########-####-####-####-########)
####-##-##T##:##:##.#### info vpxd[08047] [Originator@6876 sub=vpxLro opID=########-#####-auto-###-h5:########-##] [VpxLRO] -- FINISH task-#####
####-##-##T##:##:##.#### info vpxd[08043] [Originator@6876 sub=MoCluster opID=HB-host-##@####-########] Excluding host for placing HDCS VM [vim.HostSystem:host-##,XXX.XXXX.XXX.XXX]. Reason: Maintenance mode ENABLED

vSphere 7.0.x

vSphere 8.0.x

1.Check if the ESXi Certificate Mode is VMCA in vCenter
a) In the vSphere Client, select the vCenter Server system that manages the hosts.
b) Click Configure,and under Settings, click Advanced Settings
c) Click Edit Settings
d) Click the Filter icon in the Name column, and in the Filter box,
   enter "vpxd.certmgmt.mode" to display only certificate management parameters. 
   The value should be "vmca".

2.Exit the host from Maintenance mode

3.Renew the ESXi certificate
  Right-click ESXi Host in Inventory > Certificates > Renew/Refresh Certificate

Refer: Renew or Refresh ESXi Certificates
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/vsphere-security-7-0/securing-esxi-hosts/certificate-management-for-esxi-hosts/renew-esxi-certificates.html