If you update an externally signed root or intermediate CA certificate in vSphere, you will likely run into an issue attempting to replace them that the "Trusted root already exists".

In some scenarios, the certificates may get updated on the vCenter server normally however, the intermediate and/or root certificate keep showing the old expiry date under Menu -> Administration -> Certificate Management

VMware vCenter Server 7.x
VMware vCenter Server 8.x

To resolve this issue, switch the Machine SSL certificate back to being self-signed by the internal VMCA. This will remove the dependency on the external CA allowing us to safely delete the old root/intermediate certificates from vCenter. We can then generate a new CSR through the UI and import the custom certificate back into vCenter-

1. Take an offline snapshot of vCenter (In case of vCenters being in ELM, please take powered down snapshots of all the vCenter servers)

2. Replace the custom certificate with a VMCA signed certificate: Replace Machine SSL certificate with VMCA certificate with vSphere Certificate Manager

3. Remove the previous Root and intermediate(if applicable) certificates from Trusted Roots store: Identify and remove the desired certs from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store

4. Once done, renew the certificates again with an external CA signed certificate as desired: Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate