• Root, Intermediate or Signing certificate is expiring or expired.
• Renewed the expiring or expired certificate in the Internal CA.
• vCenter Machine SSL Certificate is still valid for some more time.
• Replace the expiring or expired Root, Intermediate or Issuer certificate without replacing the current Machine SSL Certificate.

• vCenter 7.x
• vCenter 8.x
• vCenter 9.x

It is possible to replace the expired or expiring CA Certificate in the TRUSTED_ROOTS store without replacing the current machine SSL. To perform the replacement, follow the steps below.

1. Identify the expired or expiring certificate and remove it using the steps mentioned here - Verify and remove CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)
2. Upload the new certificate to vCenter TRUSTED_ROOTS Store using vCenter UI - Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client
3. SSH in to vCenter and restart all the service to ensure the vCenter functionality is intact.
   service-control --stop --all && service-control --start --all

Update the vCenter Server TRUSTED_ROOTS Store (Custom Certificates)