ESXi hosts out of the box ship with self-signed certificates. This KB article discusses how to switch from self-signed certs to (CA) trusted certs.

VMware vSphere ESXi

To switch from the default self-signed certificates on ESXi to CA-signed "trusted certs", you can do it in two different ways.

1. Update ESXI hosts with CA_signed certificates:
For ESXi 8.0: Replacing the Default ESXi Certificate with a Custom Certificate

For VCF 9.0: Replace Certificates with Custom Certificates Using the vSphere Client

2. Make vCenter Server's VMCA into an Intermediate CA (certificate authority):
For ESXi 8.0: Make VMCA Into an Intermediate Certificate Authority Using the CLI

For VCF 9.0: Make VMCA Into an Intermediate Certificate Authority Using the CLI