Security for vCenter server is really important. However, it is an organization's security policy and architecture decision whether to use certificates or not.
If your organization's policy requires a certificate, then you must use one. Also, if there is a potential possibility of man-in-the-middle attacks when using management interfaces, such as vSphere Web Client, then using certificates is a must.
VMware products use standard X.509 Version 3 certificates to encrypt session information sent over the Secure Socket Layer (SSL) protocol connections between components. However, by default, vSphere includes self-signed certificates. It is an organization's policy that will decide whether to use self-signed certificates or the internally signed or externally signed certificates. You need to purchase externally signed certificates unless you use the other two.
You need to keep a backup of those certificates to protect them from being lost or...