vSphere use TLS Certificates for protect and security communication from vCenter to ESXi host and when the user access to vCenter WEB GUI.
There are many possible configurations:
- Full Managed Mode -> All certificates are managed from VMCA
- Hybrid Mode -> The communication certificates for traffic from vCenter to ESXi are managed from VMCA. The Admin user import from Private PKI only the SSL certificate for Access to WEB GUI
- Subordinate CA Mode -> Configure the VMCA as a Subordinate CA of Private PKI
- Full Custom Mode –> All Certificates are generated and managed from the local Private PKI
The best solution is Hybrid Mode for correct balance of Security and effort for implementation.