• Unable to Import Trusted Root Certificate from vSphere Client
• After a certificate is expired or near expiration, trying to add new certificate via vCenter vSphere web client UI is unsuccessful. 
  • For example, if a new root certificate is being added under Administration > Certificates > Certificate Management > Trusted Root > ADD TRUSTED ROOT CERTIFICATE, the new certificate does not appear. Instead, a spinning wheel appears in the middle of the page and just sits there.
• There are no task or event failures within vCenter

• vSphere 8.x

This happens when both the current CA certificate that is expiring or already expired, and the new certificate have the same Subject Key Identifier hash on them. 

To fix, the expired or expiring certificate needs to be removed from the certificate trust store.

To remove, either use vCert tool or,  Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS).

Once removed, import the new certificate using vCert or through the vSphere Client UI Certificate Management.