So I spent a lot of time this evening working through similar issues. I had successfully configured a cluster with 4 virtual hosts on a new vSphere 5 U2 vCenter. I finally obtained some signed certificates and replaced all of the self signed certs. I confirmed that the ESXi hosts saw the new thumbprints using the support information from the DCUI. Immediately after doing this I began noticing that HA was acting up. I couldn't vMotion anything because HA errors were being detected on all hosts. The vCenter log showed the the vSphere HA availability state of this host has changed to Unreachable. On some hosts it was just hung at the election screen. However, the master HA owner was showing as green so it appeared to be affecting only the slaves.
Knowing that this was related to SSL I began researching and came across this KB: 2006210. Using this information I ran the following SQL query against the vCenter database:
SELECT id,EXPECTED_SSL_THUMBPRINT,HOST_SSL_THUMBPRINT FROM dbo.VPX_HOST
This returned the thumbprint of the host and what was expected from vCenter. What was really odd was the fact that they matched in the database. However when I compared the thumbprints to that of the certificates they were different. It appeared that vCenter didn't update the new thumbprints when I removed and readded to the hosts to vCenter. I tried multiple things like disconnecting and reconnecting and removing the hosts altogether. So I believe there are scripts to correct this but I took the manual approach for the small amount of virtual hosts that were being impacted. I used the following query to modify the thumbprints in SQL:
UPDATE dbo.VPX_HOST SET EXPECTED_SSL_THUMBPRINT = 'thumbprint' WHERE id = 'hostid' UPDATE dbo.VPX_HOST SET HOST_SSL_THUMBPRINT = 'thumbprint' WHERE id = 'hostid'
Make sure you replace the thmbprint and hostid with that of your certificates and host ID's.
One challenge I ran into was trying to figure out which Host ID belonged to which Virtual Host. If the host has VM's you can use this query to figure out the host ID's.
SELECT vpxv_vms.vmid, vpxv_vms.NAME, vpxv_vms.hostid, vpxv_hosts.NAME FROM vpxv_vms JOIN vpxv_hosts on VPXV_VMS.HOSTID = VPXV_HOSTS.HOSTID WHERE ( (vpxv_hosts.hostid = vpxv_vms.hostid) )
Im convinced this is a bug and may only impact someone replacing certificates after you have added hosts to vCenter. I hope to do more testing in my lab to see if I can reproduce this problem. Hope this helps others from dealing with the same headache I had.