5. Locate ClusterManifest.current.xml in the cluster root folder like "C:\ProgramData\SF\Fabric\ClusterManifest.current.xml" according to actual datapath deployed, and copy to somewhere like C:\Temp\clusterManifest.xml
6. Remove clusterManifest.xml read-only attribute and Modify the C:\Temp\clusterManifest.xml and update with new thumbprint.
a) Replace all occurrences of old cert with the new thumbprint .
7. Locate InfrastructureManifest.xml from .\Fabric\Fabric.Data\InfrastructureManifest.xml path, for my case, it is C:\ProgramData\SF\vm0\Fabric\Fabric.Data\InfrastructureManifest.xml as dataroot is at C:\ProgramData, and copy to c:\temp too.
8. Modify the C:\Temp\InfrastructureManifest.xml and update with new thumbprint.
a) Replace all occurrences of old cert with the new thumbprint
9. Run following cmdlet to update the Service Fabric cluster, replace the SvcFab path according to the actual path.
13. After step 12 you should able to reconnect to the cluster over SFX and PowerShell.
14. Now, even the SFX is working, and you can call Connect-ServiceFabricCluster from one of cluster node and secure connection is fine, but Get-ServiceFabricClusterConfiguration still give you the old cluster thumbprint in deployment JSON file.
Get-ServiceFabricClusterConfiguration still outputs the old cluster cert thumbprint expired as expected.
15. We will have to use set-ServiceFabricUpgradeOrchestrationServiceState to get into the cluster state