I ran into this myself two weeks ago.
A solution/workaround is actually documented in the VMware vCenter Server 6.7 Update 3 Release Notes, see "You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system"
8 people found this helpful
Joining new hosts failed with certificate issues - I was getting certificate issues when trying to join NEW hosts to a new host cluster in this datacenter in vSphere. There is a vCenter setting (vCenter -> Configure -> Settings -> Advanced Settings -> vpxd.certmgmt.mode) with a default value of 'vmca', and VMware support had changed the value to 'thumbprint' which then allowed the new hosts to join the cluster using their default certificates (these were newly installed ESXi 6.7 hosts). Once they were added successfully, this setting was changed back to its default 'vmca'.
worked for me as well.
Was grinding on this, fixed my issue, thanks for sharing the fix!
Appreciate this is an older post now, but I've just had this issue occur myself.
It turned out that the host system date/time was "catastrophically" out (years out)
By setting this correctly on the host and rebooting, then retrying the operation, all was fine!
While changing to vpxd.certmgmt.mode to thumprint works, I still questioned why this was happening all of a sudden? In my case, it turns out the host time was the issue. Correcting the host time resolved it for me and allowed me to add the host without modifying certmgmt.mode setting.