If you are replacing your ESXi certificates with CA certificates, the best method is to make your VCSA a subordinate CA and allow it to sign certificates for the ESXi host. VMware has released a KB article on how to make your VCSA a subordinate CA.
When configured the VCSA as a subordinate CA you have to wait 24 hours before updating the ESXi host certificates. If you try to update the certificate sooner you receive an error.
This is a safety mechanism to avoid time synchronization issues as stated in this KB article. You will also not be able to add new ESXi hosts to your inventory!