Yeah, if you're managing the certs you can generate the thumbprints. If using the self-signed have to dig into the system to get them to get the thumbprint (or use the fault error message, which is a little clutter ugly if you are a perfectionist in your vSphere task/events tab).
You could certainly work into your kickstart some wget fetch of a certificate that is generated by web request or something to remove that chicken-egg scenario. I've had customers do similar tooling to address the issue (they wanted all hosts built to auto-request a CA signed cert from a central authority vs self-signed).
Definitely doable, might require a little setup and a few bits of code (shell or what not).
