If you update an externally signed root or intermediate CA certificate in vSphere, you will likely run into an issue attempting to replace them that the "Trusted root already exists".

vCenter 7
vCenter 8

Attempting to add a new certificate will fail if it has the same subject key identifier as one that is already present in the trusted root store.

Additionally, you may run into an issue attempting to force remove it through the command line as the Machine SSL cert depends on the integrity of the certificate chain.

To resolve this issue, we will want to switch the Machine SSL certificate back to being self-signed by the internal VMCA. This will remove the dependency on the external CA allowing us to safely delete the old root/intermediate certificates from vCenter. We can then generate a new CSR through the UI and import the necessary certificates back into vCenter.

1. Take an offline snapshot of vCenter (ALL vCenters if in linked mode)

2. Replace Machine SSL certificate with VMCA certificate with vSphere Certificate Manager

3. Identify and remove the desired certs from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store

4. Import updated CA certificates

5. Generate CSR for Machine SSL certificate (Administration>Certificate Management), Sign CSR with external CA, and import signed certificate to vCenter.