Hello Our internal vulnerability scanner had complained about 8 not-trusted certificates. So I created an CSR via vsphere client and created a signed certificate via our CA, downloaded the .prt file, converted it to PEM. Afterwards I have installed the PEM file, as well the root certificate (including intermediate and root). All ports are fine, except port 636. There I still get SSL Certificate cannot be trusted and get "Verify return code: 21 (unable to verify the first certificate)" via openssl.
While you may not be using AD, 636 is still an important port for functionality of vSPhere (vCS) to other products (internal vSPhere SSO authentication) likely in the stack. So it's not one you want to block.
On the certificate side, you have options. The 'fastest' is to accept the risk, but it depends on where your VM stack operates, so that may not be a choice.
This is a good KB for regenerating certificates, for VCSA (assuming you're running that in v7)
https://kb.vmware.com/s/article/2112283
Hopefully that helps!
Self-signed VMCA Certificates are not an option, they are also not secure enough and will also create vulnerabilities, which our scanner won't accept. I have installed a signed certificate as machine SSL certificate, which is working fine for all ports, except 636!
On port 636 it cannot handle certificate chains, from my point of view.