• Administrators authenticating to the VCSA via an SSO administrative account rather than the local OS root account, will encounter permission denied errors when utilizing CLI certificate tools (certificate-manager, certool, or vCert).
• Granting bash shell access to the SSO user does not bypass these OS-level directory navigation and script execution restrictions

VMware vCenter Server Appliance (VCSA) 7.x, 8.x

• Certificate replacement scripts and utilities on the VCSA strictly require OS-level root privileges. These scripts must modify internal endpoint certificate stores, replace private keys, and restart protected system services.
• An SSO administrator user lacks the necessary underlying operating system permissions to perform these actions, resulting in access restrictions.

To resolve this issue and proceed with certificate replacement:

1. Secure authorization to utilize the local OS root account for the vCenter Server Appliance.

2. Establish an SSH session to the VCSA and log in directly using the root credentials.

3. Launch the certificate-manager utility or the required certificate script.

4. Follow standard prompts to replace the machine SSL or solution user certificates.

Refer below KB articles for standard certificate replacement procedures on VCSA.

Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA
vCert - Scripted vCenter expired certificate replacement