I ran into this myself two weeks ago.
A solution/workaround is actually documented in the VMware vCenter Server 6.7 Update 3 Release Notes, see "You might be unable to add a self-signed certificate to the ESXi trust store and fail to add an ESXi host to the vCenter Server system"
3 people found this helpful
Joining new hosts failed with certificate issues - I was getting certificate issues when trying to join NEW hosts to a new host cluster in this datacenter in vSphere. There is a vCenter setting (vCenter -> Configure -> Settings -> Advanced Settings -> vpxd.certmgmt.mode) with a default value of 'vmca', and VMware support had changed the value to 'thumbprint' which then allowed the new hosts to join the cluster using their default certificates (these were newly installed ESXi 6.7 hosts). Once they were added successfully, this setting was changed back to its default 'vmca'.