I ran into a similar issue with VCSA 6 and using custom certificates. The problem turns out to be that the certificate authority ( CA ) that I am using is signed by another intermediate authority which is also signed by another authority. What happens is when the trusted certificate chain is pushed to the ESXi server, it was only giving it the CA that signed the certificate and not the whole chain. Unfortunately fixing this requires using more than the certificate-manager tool. I had to import both the intermediate and root certificate into the VECS on the VCSA using the following command:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert <path to cert>
Where the <path to cert> is a path to the intermediate and root CA certificates. In my example, I am using InCommon RSA CA. InCommon RSA CA is signed by UserTrust. UserTrust is then signed by AddTrust. I had to go out and get the public certificates to the InCommon RSA CA, UserTrust, and AddTrust CAs. I put each of those certificates in a different file and then imported them one by one. I did not import the InCommon RSA CA since that will be imported by certificate-manager during the import of the custom certificate. Once the intermediate and root CA certificates were in VECS, I then followed the directions here:
Replacing vCenter 6.0’s SSL Certificate - VMware Blogs
To replace the machine certificates.