The vMotion encryption feature isn't merely an encryption of the entire network channel for the vMotion traffic. There aren't certificates to manage.

The encryption happens on a per-VM level; when the VM is migrated, a randomly generated, one-time-use 256-bit key is generated by vCenter (it does not use the KMS). In addition, a 64-bit nonce (an arbitrary number used only once in a crypto operation) is also generated. The encryption key and nonce are packaged into the migration specification sent to both hosts. At that point, all the VM vMotion data is encrypted with both the key and the nonce, ensuring that communications can't be used to replay the data:

Three options regarding encrypted vMotion are available:

• Opportunistic: If the source and destination ESXi host supports Encrypted vMotion, Encrypted vMotion will be used. If one of the hosts does not support encrypted vMotion, regular (unencrypted) vMotion will be used.
• Required: Both source and destination ESXi host must be capable of encrypted vMotion. If the host is non-compliant, the vMotion will fail. In other words, encrypted vMotion will always be used.
• Disabled: No encrypted vMotion will be used at all, only regular (unencrypted) vMotion will be used.