I ran into an issue where configuring vSphere with an intermediate signing certificate and replacing certificates on all hosts would cause the storage providers to go offline. Refreshing host certificates would also cause the issue.
VMware support determined the cause was the removal of the vCenter SMS certificate in the hosts local trust store. This certificate is not pushed to the hosts when the trust store was refreshed. This behavior occurs at least on vSphere 6.7 and 7.0. To resolve the issue, it is necessary to manually add the SMS certificate to the hosts trust store.
Connect to vCenter and retrieve the SMS certificate
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store SMS
Install the SMS certificate into the hosts certificate store
Copy the certificate retrieved from vCenter to the following file on the ESXi hosts. The certificate should be appended to the end of the file. Do not remove any certificates currently in the castore.
Synchronize storage providers to bring the Storage Provider status back online
From the vCenter interface, select “Synchronize Storage Providers”, then Rescan any hosts with out of date certificate information.
This process must be repeated for each host and will be required any time the certificate trust list is pushed from vCenter to the hosts.