After a certificate is expired or near expiration, trying to add new certificate via vCenter vSphere web client UI is unsuccessful. 

For example, if a new root certificate is being added under Administration > Certificates > Certificate Management > Trusted Root > ADD TRUSTED ROOT CERTIFICATE, the new certificate does not appear. Instead, a spinning wheel appears in the middle of the page and just sits there.

There are no task or event failures that can be noticed either. 

vSphere 8.x

This happens when both the current CA certificate that is expiring or already expired, and the new certificate have the same Subject Key Identifier hash on them. 

To fix, the expired or expiring certificate needs to be removed from the certificate trust store.

To remove, either use vCert tool or,  Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS).