According to the documentation you do have to enable maintenance mode, I do not see a workaround I'm afraid.

Configuring CA signed certificates for ESXi 6.0 hosts (2113926) | VMware KB

Installing and configuring the certificate on the ESXi host   

After the certificate is created, complete the installation and configuration of the certificate on the ESXi 6.0 host:

1. Log in to vCenter Server.
2. Put the host into Maintenance Mode.
3. Navigate to the console of the server to enable SSH on the ESXi 6.0 host.
4. Press F2 to log in to the Direct Console User Interface (DCUI).
5. Click Troubleshooting options > Enable SSH.
6. Log in to the host and then navigate to /etc/vmware/ssl.
7. Copy the files to a backup location, such as a VMFS volume.
8. Log in to the host with WinSCP and navigate to the /etc/vmware/ssl directory.
9. Delete the existing  rui.crt and  rui.key from the directory.
10. Copy the newly created  rui.crt and  rui.key to the directory using Text Mode or ASCII mode to avoid the issue of special characters (  ^M) appearing in the certificate file.
11. Type vi rui.crt to validate that there are no extra characters.
    
    Note: There should not be any erroneous  ^M characters at the end of each line.
    
    
12. Switch back to the DCUI of the host and select Troubleshooting Options > Restart Management Agents.
13. When prompted press F11 to restart the agents. Wait until they are restarted.
14. Press ESC several times until you logout of the DCUI.
15. Exit the host from Maintenance Mode.