• When replacing the machine SSL certificate with a custom certificate, it successfully replaces one. However post this, the alert "certificates about to expire" still shows up on the vSphere UI.
  
  
• The certificate was replaced using the vCert utility and not via the default vSphere Certificate Manager utility.
  
  
• None of the certificates in use are expired.
  
  
• No expired certificates are present in the Backup Store.
  
  
• The TRUSTED_ROOTS store has an expired issuer certificate.

VMware vCenter Server 7.x
VMware vCenter Server 8.x

There is still an expired issuer certificate present in the TRUSTED_ROOTS store. Post running the vCert utility, the same gets added to the MACHINE_SSL_CERT store too.

1. Remove the expired issuer certificate in the TRUSTED_ROOTS store by following either the Manual Method or Scripted Method.
   
   
2. Once the old certificate is removed, add the new signing certificate to the TRUSTED_ROOTS store manually.
   
   
3. Restart all the services on the vCenter server.

Replacing externally signed root CA certificate in vCenter - "Trusted root already exists"