vSphere encrypts session information using standard digital certificates. Using the default certificates that vSphere creates might not comply with the security policy of your organization. If you require a certificate from a trusted certificate authority, you can replace the default certificate.
Certificate checking is enabled by default and SSL certificates are used to encrypt network traffic. However, ESXi uses automatically generated certificates that are created as part of the installation process and stored on the server system. These certificates are unique and make it possible to begin using the server, but they are not verifiable and are not signed by a trusted, well-known certificate authority (CA). These default certificates are vulnerable to possible man-in-the-middle attacks.
To receive the full benefit of certificate checking, especially if you intend to use encrypted remote connections externally, install new certificates that are signed by a valid internal certificate authority or public key
infrastructure (PKI) service. Alternatively, purchase a certificate from a trusted security authority.
VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over Secure Socket Layer (SSL) protocol connections between components. For example, communications between a vCenter Server system and each ESXi host that it manages are encrypted, and some features, such as vSphere Fault Tolerance, require the certificate verification provided by SSL.
The client verifies the authenticity of the certificate presented during the SSL handshake phase, before encryption, which protects against "man-in-the-middle" attacks. When you replace default vCenter and ESXi certificates, the certificates you obtain for your servers must be signed and conform to the Privacy Enhanced Mail (PEM) key format. PEM is a key format that stores data in a Base-64 encoded Distinguished Encoding Rules (DER) format.
The client verifies the authenticity of the certificate presented during the SSL handshake phase, before encryption, which protects against "man-in-the-middle" attacks. When you replace default vCenter and ESXi certificates, the certificates you obtain for your servers must be signed and conform to the Privacy Enhanced Mail (PEM) key format. PEM is a key format that stores data in a Base-64 encoded Distinguished Encoding Rules (DER) format.
The key used to sign certificates must be a standard RSA key with an encryption length that ranges from 512 to 4096 bits. The recommended length is 2048 bits. Certificates signed by a commercial certificate authority, such as Entrust or Verisign, are pre-trusted on the Windows operating system. However, if you replace a certificate with one signed by your own local root CA, or if you plan to continue using a default certificate, you must pre-trust the certificate by importing it into the local certificate store for each vSphere Client instance. You must pre-trust all certificates that are signed by your own local root CA, unless you pre-trust the parent certificate, the root CA’s own certificate.
http://www.vmware.com/files/pdf/techpaper/replacing-vCenter-Server-5-ESXi-Certificates.pdf
http://www.vmware.com/files/pdf/techpaper/replacing-vCenter-Server-5-ESXi-Certificates.pdf