When replacing a certificate on an ESXi host fails, the system creates certificate .bak files, which you can use to recover to the previous state.
The host certificate and key are located in /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. When you replace a host certificate by using either the vSphere Client or the vSphere Web Services SDK vim.CertificateManager managed object, and the replacement fails, the system creates .bak files for the previous key and certificate files.
When certificate replacement fails, you can restore previous certificates by copying over the .bak files to the current certificate and key files.