When updating a custom certificate in the vSphere Client, the process fails with the error.

[CERTIFICATE] Replace cert Failed: Certificate or id already exists

vCenter Server

The error occurs because a user is attempting to replace the Trusted root certificate chain using a certificate that has the same thumbprint as the certificate currently assigned to the Machine SSL Certificate.

Validation of the /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log confirms that the input certificate and the current certificate are identical:

INFO com.vmware.certificatemanagement.impl.utils.cert.CertUtil opId=] New input certificate thumbprint [thumbprint]
INFO com.vmware.certificatemanagement.impl.utils.cert.CertUtil opId=] Current certificate thumbprint: [thumbprint]
ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace opId=] TLS Certificate replacement failed : Certificate already exists

To resolve this, you must temporarily replace the current certificate with one that has a different thumbprint before attempting the custom certificate update again. Use one of the following methods:

• Use a Different Temporary Certificate
  Prepare a separate, valid certificate (different from the current and the intended final certificate) and perform a temporary replacement.
  
  
• Use the vCert Script
  Temporarily replace the certificate with one issued by the VMware Certificate Authority (VMCA) using the vCert script. This will change the thumbprint and allow the custom update to proceed.
  Refer to the following article for the vCert procedure:
  vCert - Scripted vCenter expired certificate replacement