Step by Step process on how to renew the ESXi host custom cert from the vCenter UI with screenshots is given below:

Note: Please read Broadcom Tech doc before proceeding with the step by step process and ensure that all the pre-requisites are met: Replace the Default Certificate with a Custom Certificate Using the vSphere Client

Step 1: Change the vCenter certificate mode to custom

Go to vCenter inventory --> Configure --> Advanced Settings --> Edit Advanced Settings --> Search for vpxd.certmgmt.mode

(Please note that "Value" is case sensitive) 

Refer to document: Change the ESXi Certificate Mode on how to change the vCenter cert mode. 

Step 2: Navigate to the host from the vCenter inventory and select > Configure > System > Certificate, and click Manage With External CA

Step 3: Click Generate CSR using FQDN

Step 4: Copy the generated certificate

Step 5: Paste the CSR on the Microsoft CA Authority, select the "Web Server" template, and submit

Step 6: Choose Base 64 encoded and click "Download certificate", NOT the certificate chain

Step 7: Get back to the vCenter UI and click on "Import and Replace" from the below location

Step 8: Select "Replace with external CA certificate where CSR is generated by ESXi (Private key embedded)".

Step 9: Click on Browse and select the downloaded Certificate , and click Next.